Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
05/03/2025, 04:01
Static task
static1
Behavioral task
behavioral1
Sample
75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe
Resource
win10v2004-20250217-en
General
-
Target
75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe
-
Size
520KB
-
MD5
667516e24eecd896dd4283cbe83980e8
-
SHA1
9dbe2a7f1c0673095a529d6719158a27a86613cf
-
SHA256
75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1
-
SHA512
03acba91f185699c811789b806f5dcf4e1b070a77eab463c2affc431740507d502201dbb11ddcd58691d876dca47ecc32ba085277334da849be7c525e97d35e8
-
SSDEEP
12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioX9:zW6ncoyqOp6IsTl/mX9
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 9 IoCs
resource yara_rule behavioral1/memory/2480-594-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral1/memory/2480-599-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral1/memory/2480-600-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral1/memory/2480-602-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral1/memory/2480-603-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral1/memory/2480-604-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral1/memory/2480-607-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral1/memory/2480-610-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral1/memory/2480-611-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYOPNVHN\\service.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Executes dropped EXE 23 IoCs
pid Process 3028 service.exe 2772 service.exe 1136 service.exe 2252 service.exe 2260 service.exe 948 service.exe 1656 service.exe 2448 service.exe 2644 service.exe 3032 service.exe 2200 service.exe 1612 service.exe 2372 service.exe 1956 service.exe 1496 service.exe 2080 service.exe 1656 service.exe 2116 service.exe 2972 service.exe 2304 service.exe 2764 service.exe 1132 service.exe 2480 service.exe -
Loads dropped DLL 45 IoCs
pid Process 816 75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe 816 75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe 3028 service.exe 3028 service.exe 2772 service.exe 2772 service.exe 1136 service.exe 1136 service.exe 2252 service.exe 2252 service.exe 2260 service.exe 2260 service.exe 948 service.exe 948 service.exe 1656 service.exe 1656 service.exe 2448 service.exe 2448 service.exe 2644 service.exe 2644 service.exe 3032 service.exe 3032 service.exe 2200 service.exe 2200 service.exe 1612 service.exe 1612 service.exe 2372 service.exe 2372 service.exe 1956 service.exe 1956 service.exe 1496 service.exe 1496 service.exe 2080 service.exe 2080 service.exe 1656 service.exe 1656 service.exe 2116 service.exe 2116 service.exe 2972 service.exe 2972 service.exe 2304 service.exe 2304 service.exe 2764 service.exe 2764 service.exe 1132 service.exe -
Adds Run key to start application 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RJSOJTEUDTURAMS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RISOJSDTDSTQLRW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTKUNMOAEJXWI\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSJWSQAVHBVXCSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLEKRCDQWNVKUKG\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\NREIECSYQHHJEAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LODWUDWMCIQHGRO\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\UFDHCKVAXSQTIWE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROWIP\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYXTVHNUUFYANWJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAPQNVHOS\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DPQLKMCPXGRWGTE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IRJFATXJKHQCINB\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCQGTPNSESUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPIBHOXANTKSHRH\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\PUABHETSGHDBDYT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIVDMDX\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYXTUHNUUFYNWJI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYOPNVHN\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\YAWVMCQMJYOBOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TVLFDKUKPHYPDOE\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWANDRNLQCPSNGJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLQIQEPFB\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WCDAJBGVUIJFDFV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYKAKEXCEVRS\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQVBCAIAFUTHIEC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IKWWAXSRXTJWENE\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\PNSFJECTYRHHJEA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LOEWUDXMDIARIGR\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\JFDTRIHKFBCLHVU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FSORVTWHLREBQYP\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLDVMJDTNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJWWES\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCPFTPNSERUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANSKSGRH\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\JWDMWTEAYLEYFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPINUGGAUBRNYOK\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\UHLHFVTKJLHDENJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJASKGBUYKLIRDJ\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RXNLPKSHIYAHHQM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVACSPPL\\service.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\BIMADOQLJMBPWFR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQGRKILXBYGU\\service.exe" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1588 reg.exe 1960 reg.exe 2096 reg.exe 2404 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 2480 service.exe Token: SeCreateTokenPrivilege 2480 service.exe Token: SeAssignPrimaryTokenPrivilege 2480 service.exe Token: SeLockMemoryPrivilege 2480 service.exe Token: SeIncreaseQuotaPrivilege 2480 service.exe Token: SeMachineAccountPrivilege 2480 service.exe Token: SeTcbPrivilege 2480 service.exe Token: SeSecurityPrivilege 2480 service.exe Token: SeTakeOwnershipPrivilege 2480 service.exe Token: SeLoadDriverPrivilege 2480 service.exe Token: SeSystemProfilePrivilege 2480 service.exe Token: SeSystemtimePrivilege 2480 service.exe Token: SeProfSingleProcessPrivilege 2480 service.exe Token: SeIncBasePriorityPrivilege 2480 service.exe Token: SeCreatePagefilePrivilege 2480 service.exe Token: SeCreatePermanentPrivilege 2480 service.exe Token: SeBackupPrivilege 2480 service.exe Token: SeRestorePrivilege 2480 service.exe Token: SeShutdownPrivilege 2480 service.exe Token: SeDebugPrivilege 2480 service.exe Token: SeAuditPrivilege 2480 service.exe Token: SeSystemEnvironmentPrivilege 2480 service.exe Token: SeChangeNotifyPrivilege 2480 service.exe Token: SeRemoteShutdownPrivilege 2480 service.exe Token: SeUndockPrivilege 2480 service.exe Token: SeSyncAgentPrivilege 2480 service.exe Token: SeEnableDelegationPrivilege 2480 service.exe Token: SeManageVolumePrivilege 2480 service.exe Token: SeImpersonatePrivilege 2480 service.exe Token: SeCreateGlobalPrivilege 2480 service.exe Token: 31 2480 service.exe Token: 32 2480 service.exe Token: 33 2480 service.exe Token: 34 2480 service.exe Token: 35 2480 service.exe -
Suspicious use of SetWindowsHookEx 26 IoCs
pid Process 816 75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe 3028 service.exe 2772 service.exe 1136 service.exe 2252 service.exe 2260 service.exe 948 service.exe 1656 service.exe 2448 service.exe 2644 service.exe 3032 service.exe 2200 service.exe 1612 service.exe 2372 service.exe 1956 service.exe 1496 service.exe 2080 service.exe 1656 service.exe 2116 service.exe 2972 service.exe 2304 service.exe 2764 service.exe 1132 service.exe 2480 service.exe 2480 service.exe 2480 service.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 816 wrote to memory of 2212 816 75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe 30 PID 816 wrote to memory of 2212 816 75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe 30 PID 816 wrote to memory of 2212 816 75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe 30 PID 816 wrote to memory of 2212 816 75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe 30 PID 2212 wrote to memory of 2184 2212 cmd.exe 32 PID 2212 wrote to memory of 2184 2212 cmd.exe 32 PID 2212 wrote to memory of 2184 2212 cmd.exe 32 PID 2212 wrote to memory of 2184 2212 cmd.exe 32 PID 816 wrote to memory of 3028 816 75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe 33 PID 816 wrote to memory of 3028 816 75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe 33 PID 816 wrote to memory of 3028 816 75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe 33 PID 816 wrote to memory of 3028 816 75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe 33 PID 3028 wrote to memory of 3032 3028 service.exe 34 PID 3028 wrote to memory of 3032 3028 service.exe 34 PID 3028 wrote to memory of 3032 3028 service.exe 34 PID 3028 wrote to memory of 3032 3028 service.exe 34 PID 3032 wrote to memory of 2916 3032 cmd.exe 36 PID 3032 wrote to memory of 2916 3032 cmd.exe 36 PID 3032 wrote to memory of 2916 3032 cmd.exe 36 PID 3032 wrote to memory of 2916 3032 cmd.exe 36 PID 3028 wrote to memory of 2772 3028 service.exe 37 PID 3028 wrote to memory of 2772 3028 service.exe 37 PID 3028 wrote to memory of 2772 3028 service.exe 37 PID 3028 wrote to memory of 2772 3028 service.exe 37 PID 2772 wrote to memory of 2552 2772 service.exe 38 PID 2772 wrote to memory of 2552 2772 service.exe 38 PID 2772 wrote to memory of 2552 2772 service.exe 38 PID 2772 wrote to memory of 2552 2772 service.exe 38 PID 2552 wrote to memory of 736 2552 cmd.exe 40 PID 2552 wrote to memory of 736 2552 cmd.exe 40 PID 2552 wrote to memory of 736 2552 cmd.exe 40 PID 2552 wrote to memory of 736 2552 cmd.exe 40 PID 2772 wrote to memory of 1136 2772 service.exe 41 PID 2772 wrote to memory of 1136 2772 service.exe 41 PID 2772 wrote to memory of 1136 2772 service.exe 41 PID 2772 wrote to memory of 1136 2772 service.exe 41 PID 1136 wrote to memory of 2764 1136 service.exe 42 PID 1136 wrote to memory of 2764 1136 service.exe 42 PID 1136 wrote to memory of 2764 1136 service.exe 42 PID 1136 wrote to memory of 2764 1136 service.exe 42 PID 2764 wrote to memory of 336 2764 cmd.exe 44 PID 2764 wrote to memory of 336 2764 cmd.exe 44 PID 2764 wrote to memory of 336 2764 cmd.exe 44 PID 2764 wrote to memory of 336 2764 cmd.exe 44 PID 1136 wrote to memory of 2252 1136 service.exe 45 PID 1136 wrote to memory of 2252 1136 service.exe 45 PID 1136 wrote to memory of 2252 1136 service.exe 45 PID 1136 wrote to memory of 2252 1136 service.exe 45 PID 2252 wrote to memory of 624 2252 service.exe 46 PID 2252 wrote to memory of 624 2252 service.exe 46 PID 2252 wrote to memory of 624 2252 service.exe 46 PID 2252 wrote to memory of 624 2252 service.exe 46 PID 624 wrote to memory of 456 624 cmd.exe 48 PID 624 wrote to memory of 456 624 cmd.exe 48 PID 624 wrote to memory of 456 624 cmd.exe 48 PID 624 wrote to memory of 456 624 cmd.exe 48 PID 2252 wrote to memory of 2260 2252 service.exe 49 PID 2252 wrote to memory of 2260 2252 service.exe 49 PID 2252 wrote to memory of 2260 2252 service.exe 49 PID 2252 wrote to memory of 2260 2252 service.exe 49 PID 2260 wrote to memory of 2396 2260 service.exe 50 PID 2260 wrote to memory of 2396 2260 service.exe 50 PID 2260 wrote to memory of 2396 2260 service.exe 50 PID 2260 wrote to memory of 2396 2260 service.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe"C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempMDYBN.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UFDHCKVAXSQTIWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2184
-
-
-
C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe"C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempXWIQI.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UHLHFVTKJLHDENJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2916
-
-
-
C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe"C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempIWDTM.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYXTVHNUUFYANWJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe" /f5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:736
-
-
-
C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe"C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempUMAJV.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RXNLPKSHIYAHHQM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe" /f6⤵
- Adds Run key to start application
PID:336
-
-
-
C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe"C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempDHYUV.bat" "6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DPQLKMCPXGRWGTE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe" /f7⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:456
-
-
-
C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe"C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempIQKPM.bat" "7⤵
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WCDAJBGVUIJFDFV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe" /f8⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1940
-
-
-
C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe"C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:948 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempMWRFC.bat" "8⤵
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCQGTPNSESUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe" /f9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2632
-
-
-
C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe"C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1656 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempEUHPJ.bat" "9⤵PID:2584
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQVBCAIAFUTHIEC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe" /f10⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2384
-
-
-
C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe"C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2448 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempVGSDC.bat" "10⤵
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BIMADOQLJMBPWFR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe" /f11⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2156
-
-
-
C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe"C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2644 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempXIGKF.bat" "11⤵
- System Location Discovery: System Language Discovery
PID:424 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSOJTEUDTURAMS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f12⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2948
-
-
-
C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3032 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempCLHVU.bat" "12⤵PID:2900
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PNSFJECTYRHHJEA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe" /f13⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2428
-
-
-
C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe"C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2200 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempIGKFM.bat" "13⤵
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSDTDSTQLRW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe" /f14⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:584
-
-
-
C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe"C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1612 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempGOGAJ.bat" "14⤵PID:1432
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JFDTRIHKFBCLHVU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe" /f15⤵
- Adds Run key to start application
PID:836
-
-
-
C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe"C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2372 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempKTPCA.bat" "15⤵
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLQCPSNGJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f16⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2424
-
-
-
C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1956 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempGOINK.bat" "16⤵
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PUABHETSGHDBDYT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f17⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:964
-
-
-
C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1496 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "17⤵
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDVMJDTNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe" /f18⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1052
-
-
-
C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe"C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2080 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "18⤵
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPFTPNSERUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe" /f19⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1716
-
-
-
C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe"C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1656 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempSTYEF.bat" "19⤵
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWTEAYLEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe" /f20⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2924
-
-
-
C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe"C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2116 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempOPUBC.bat" "20⤵
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSJWSQAVHBVXCSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe" /f21⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1892
-
-
-
C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe"C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2972 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "21⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIECSYQHHJEAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe" /f22⤵
- Adds Run key to start application
PID:1928
-
-
-
C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe"C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2304 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempEIJSO.bat" "22⤵
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YAWVMCQMJYOBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe" /f23⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1744
-
-
-
C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe"C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2764 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\TempVCTMR.bat" "23⤵PID:2316
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYXTUHNUUFYNWJI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe" /f24⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:112
-
-
-
C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe"C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exeC:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2480 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f25⤵
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f26⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2404
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe:*:Enabled:Windows Messanger" /f25⤵
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe:*:Enabled:Windows Messanger" /f26⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2096
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f25⤵
- System Location Discovery: System Language Discovery
PID:108 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f26⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1588
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f25⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f26⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
163B
MD5296acaf38f1112b3b57011ec45757f14
SHA1af100448f9f10b0f918cc1bc805ca868af1573c3
SHA2568d4d127d35f6dcfc835a060d8fd313e8dfe259f63c461d7fb6f39fead194e5c2
SHA51252eb42f77f7c192217d93ec643a237d08acaaad07d84950cb98f429b0d80f42d194e0d1678eba09de69271a7634a9d7107020df7f9d42c91b9c63288bb21240e
-
Filesize
163B
MD5e13f314830c35740302e2988e38038ed
SHA125ae4d4027f1d379c14175ed5431ae564c074ec4
SHA2565a2491d3063b42a11f0fc9fd9dd345e475c6de25bd0e3ac44f6e2cbd0435dd86
SHA51215eb39f7a5845955431d921816f979af697e1d637f3feb68cd2d811bb833bec0e99eeb032833d187f517270d6331d14c44bb0686ce7cdc26953f1626915b2d17
-
Filesize
163B
MD5ce316d102fe17369fb900df03386151d
SHA18bab2bd5df4620f24b14caeaecddbc6bba4ce07d
SHA256c502884dc7a51d0501e9a4a09c9d1e53cc78d826c4fd7d4d57971ccc381da2f8
SHA5120b64df1de5c1c846f0f0a1297eed4fb5ba0e1c096f106ae220a2082f33fb653195afd09d702e7b11db7f6260bf631d00091ac044ebb6a4158714f494c8786576
-
Filesize
163B
MD58906192e2704307f41c53839d8ffb47f
SHA13d1d811e339cb09209b25a1c947b8d132832ebb4
SHA2564419766c59bf9527d61ea35deeeb0b2e7aeb0f72a87892b6d04eef1d9b18049b
SHA512d205217a4abafc89aee5ed77dbbbba141a980b1c28aa978784b424a1809e4bdcef0ae3e8a8588c3f3a79c4706f926777c1a8fd1f50d7a504fad776eb659db077
-
Filesize
163B
MD500a1aab76be53cc31bc46547536ce0b4
SHA1e470a4805a7225a254c33b920d2279909558e524
SHA256c1f64ee2489a51a9fb8f0d52f1fe843cc8f8e6641d167e4bac724cb970c35de7
SHA512b71318c4e0022eed6683766dbecff358dbf8db16569632b8284c2ebc5d5b67319374cac939be5e25281a1c53181bb583b85cdd122fc6ffdaa0c55c580214489a
-
Filesize
163B
MD566cb8e84ac9e70eb9c5461f1df9fbd49
SHA1ae2074b6c5565d02c05aba6752b4a3f2288f8f13
SHA25603b34ef5801e82a5f39a733a9862cfc378f5246115e37246ae7c2d955c82a387
SHA5126f4667b820f01aae418f6b28c324fcf21e8176908b3d8e05f36616bab914b3bd29fb7dc85504ce5e2c6cac3f1f1f0b8221a6232ac0e05209daceb7f2c82d16a6
-
Filesize
163B
MD5259fcf2d77cd48c375b929493d9e95d0
SHA1ae081b27b04fa7248d5a76d5a71b4cf3abb748cf
SHA25603d5d4132156b47723a4dbb1e4c4972cddb4849d49c11bd99b16b9b0741b3253
SHA512daa5860fd72a954f303015944d10875b968a5e40d2631e7c110696447747ceac4e47d29f3c523ae1d576c48dfbc14a1ab2f5b0f18ef4ae8686b6a53fef50dcfa
-
Filesize
163B
MD5f3215b76593a1894e5edd5c1c2515fc8
SHA187b29a6a8aa5d8921204495707055b6e7d6c4ea9
SHA256416b48bac5678aea5a8fd357feae17a8ed365eb8b54e70df138642ebd1553144
SHA512a2aaf9cb0794b1f5524dbf1f558b0f593cfeeab84f397ba670ba7e4319a3216db4a514c067f3dac58b1eb75767f58560408eb87095025e2e2432c87b77e71a0e
-
Filesize
163B
MD57fe370d59da451691de97d72e1472222
SHA1bc7e8443e5f501fb7e50e75592d87d98d48cc99f
SHA25647664deac2a316be349e5efb72fa9f129d3ea70e6dba1066f9b8345d921a3747
SHA512b52fa7c1927eddec513b3cb7097d547a0feb507e5a8ec6547083e4601abac714bfbf820c2eb38b7f2e1f6d49da59b0474915a9e313af310717384a02f71d4e24
-
Filesize
163B
MD5e6971fc5ad2bb62beef1e7af5975375e
SHA128cc9cdf959d6949d98d965a0e5c6686fae0c421
SHA256631e83a43ba699b3f360f0a6f4862b3c0644e14cc596e75eb1d05e014970af58
SHA5128f7357df0d71ecf54199480c5eb4064380c554f3c877ad0d9ec42ff573da506cca3514842916d4cd5b8cee09cbcfd7cf98fb02104929c7a0278411efda48c0a8
-
Filesize
163B
MD51c95cf0a551ea20f4178aae177d34802
SHA120066dae2ed26163ec9a8a4ce88b7ef4aa99bb1a
SHA2568aee5c73502e5e832cecf66dc66a0831d219c4decb1f3d9197255ab59fe7fe48
SHA51282f0fa523d17a176fa6d2946bec85f424fd784766ebcc0ba730a4ac2ca6aa536c3afa8a7803cbc1868a8d26b6c41af3c3f3f070a64a76066b5e15332f74cb11c
-
Filesize
163B
MD556e62a5261bbb9ce37e157e5fceec40e
SHA14103106c6409939c1fd12cf35abe3ed28da06548
SHA256448934e2951d7cc4e4444d9209fb88d131faf2c1755a0cce3e9577107e46b2fc
SHA512860aef0aa30a9db4958069deb123e78e9893041b09bc260c0d833d28c5768cf1bbc39298448baff55a88fec9bf63e4a28b0f68b4d2d02e13c92a749cc49654ba
-
Filesize
163B
MD56edac9d3462022d02e120279da89ddaf
SHA1f278c52733191d69d88dbe1df8b6a02a93ba3fea
SHA25622ab5108adb550ada184626694ebf822a31cb5f87674570ffb6ae03af94fa1bc
SHA512ac9a38118f86ff136674e058c047c65089df3f0029a4226e3031a41b31a8ed17b1b82bb1abf51abfe993eca6ad044ce249016b435891c4674d1e924517ed110b
-
Filesize
163B
MD5262a690383101b6d14fcf1d0035fcd22
SHA18598f6acc2d04374c8d94d6078fd8659c69b3f6d
SHA25687ebc880c05ffe5dc9060d56b13f5e711373281f53e9e5fc2cc441bbab7c7f99
SHA5129754dcad33af28e5b2fa337085fc2d0b4c2d200566773f41c1c2c24a93605bd2e622b29e44c88c4862a6bbbfb4c21546ffe7f17363f4a60e595c22b202f2d477
-
Filesize
163B
MD54c4d019560d9fc027ebb29c920f78fef
SHA1638fea69835acacd2105f6463785ebf08cc19ed8
SHA256b566f27e1772a74b1b53c7b97e17b040c53109e5a75a3272a3f8b94c20edcf43
SHA512692f991138ba390079445c42fca536bec82c76dacff046f8b455b173c504d04c3ed939eff36432506f88eda464e73561d2246f5e298e2324a5dfff6f70a36147
-
Filesize
163B
MD5e504d0c45a4a9b32ff935364e8dfe1f0
SHA15bbc93f6ed0dc1ae5fb35802c9c6037862b5e442
SHA25695ca150dd41cadf95c3b7de18442c2e6d0332331a7fdb263a69ae43f50525c00
SHA51256a76f9af3d60d6a0f1b4a3ebf6e5e00f36694bde6c836bdf43b271702c85a73aa99037cd042568acbf7fa8a50abf73bd1590843fa469ad201cb1cc140eb25e9
-
Filesize
163B
MD51ec7e3ccc363d8da29003f6ca9f20bcb
SHA10f0f489d7aa81ef3940691225309146a6831f60c
SHA256abcf81cc40c7d02722b4e7ec09f9acb87ec53d01704592e4cc80c829f87db94c
SHA512bcdf328821e26d27e9f8d3736e33601e50ad69ea511f3f57fba0d2b5318955418deceb86fac03ce316b0749170f34293870c2a4cbbf2ca770fcc8d98c9fb71e2
-
Filesize
163B
MD57439353d31c70df02f64cdc035298ca3
SHA1b9685b6b456d50c0721f4e62c42199fb2926d79c
SHA2562cc151bfcc3b54be65d0b149ccb72a7f38a28375d6a894f6d7b93a35398d9e00
SHA5125d36b623231de6ef0645aa6741021aae4aa2fb7d03bc59732adf104a2773ee3e69d867b6bb2cda00b74003e5cc2491028bb1ad6a57701e4f28462aa3aa7c62fe
-
Filesize
163B
MD55566146a4b2e398cf04636ebeddd1886
SHA1cb43f0a532d335a4b29784df4b4502d0fbd9f793
SHA256e2a4d7333071126742ab4b180059cad2f7e7539566b84e397765b000b86f2cd6
SHA512a8d1a401f690f4fc15a1ede5cce84aa4d332b7f6c1c61a601b303f10a7a3a932e30372e975f5c5d2bdddbfa52791979ac373f1371c128f71603ee2ac0c7390fa
-
Filesize
163B
MD5fe328125766781fae9680412f03ae7d0
SHA1c2deb156fb0ba41db7649045818b1a9ca0593e9e
SHA2569fefbc395dc92a415c6c807d1eb0050c78c6c17bcb450326c0e441550e2c8fdc
SHA5120e660c44614ba8224eecca39273cb980c9786e11ccb63b5a6ae4910bc24f063a42a201ddaf080ab1148da7636b8fbaab5201fa2eeee14ef82978af2490eec2d6
-
Filesize
163B
MD57ac1fabc9df638590705057fcfb35843
SHA1713852ced0fe693801d29d556f4945ce46712ebe
SHA256ef520fbaa273cc23c26e024e90e9aa9168b4f8968c42a14f802b7d1048f5fccd
SHA512f523462b0075a98e2bc697cc4c2b06192466148f8fc3f8cd3d0d55a32df5153d0307eba4c59236e8c4ba016b36683a57b1c990f130e52518c01093cd8cff6c71
-
Filesize
163B
MD54b7bc7b3abf2679d6f571f7b703398f6
SHA1b3361bdd0816710b4384e96962fc246749a2e743
SHA25629a0b1eb97a4373a336fee28d7036c61625a8bb4ba6fc9cd7f1058ec5e793c24
SHA5122e2e5ae863dfeb8a891830ad0e8ee35c7a195047100b16785400e37ee7868047620b7d17c6699ff983c04d96733584ff137ed8f413219f9e353b5f5b24ac8829
-
Filesize
520KB
MD5b64194c217222a7ca06370bdf11dcae5
SHA197eb6f40380f81cd90f74a753e353a7c7cf6406b
SHA256f58a96b923aaa51c27f95d1fe125e772d68c67ed99a03298ac2fdfb9f4517195
SHA512ca8ec64b8928a341d1ddc8e01793ffa1fa832349246086ff1baf24569f3d47d01747c5d94e6fa261bb5ac85629ddd3397d426917718aaf2aa7177432c47adb47
-
Filesize
520KB
MD525b5751c2d793598d4c8d9f1a4facdcd
SHA1e8fd5fe05011c3e04251e963a0431996d21fb24c
SHA25604b833f0884fb69ac0ff95abd2a156e25e331c85bdf471314495fa361d65812b
SHA512c411f4cf17962a8ec3491888dfa5e488505b0e29f1717439b846da464bdffc68d3633d2cfc42b93e7e3390ed6cbb4f60b03512ede3bd9e8433db2071bbe53c85
-
Filesize
520KB
MD5a4bc60b2edeb8fd437b89ea4f85bfafc
SHA10da4a6ab94348a2316f9925ce23f804af2099400
SHA256599f468b1630bfb1f17034e5978390466d59b2bfd277e2458a57e8def2c2763b
SHA51248423900efdb99b87ce8e7bd911567868cadd22539326bab9fa78b81c7d0331bbf18e192b7de15e1f048afd2a30cdf8fd9c5703ef9d24ea1fec664c6f69e3b68
-
Filesize
520KB
MD5381b239c932d48942b47f1e4b3ea6b06
SHA14cca950f0b21c7b33f79c8f77cf947404a8992fe
SHA2564050a05d3c9817269f7708e110b06a37f4a0631f02e37cbe6dfd503ae2b05cb9
SHA512eba09931f71d593a452af3552440fd4a93a8b3d47d4a7cb906ae19849a71395e108b80d51ade68b67c221ea588e5bc3ac403e7a7c3f1bb28cb2964785d6332e2
-
Filesize
520KB
MD5c76083791bf3f55520671c3c4c698619
SHA1313dd997afeed5874344eb5ba0962d80f933236c
SHA256daa1e5031f6e4e98d3bdfb3d4e07faebeb95f1bc0be123d8fc239bb023863fa3
SHA512588921b9a9a57c739a2ccdd3ba2fd90f1d1df70ef5f71dc5ac2df0bc722d33e43fbc6035cf47f0df84f62a8d44396850e66755ccc8366e65f2547adf2c2d6129
-
Filesize
520KB
MD57bb49f75b6660b66862e7beccd8cfb9a
SHA1c9885157db7d5025756f038933732accd1507a04
SHA256a6e5d2759811c07129666f663e782aa8f5cad7d94b04251385329994b64c76c9
SHA512dbba51d1a1d8161b3ce4463d518a7133f5b4a6ff2c0dea3c2be1d5347aaddffd966cdf4bb16fbebb51a50d923a186565e176409bf344ae5a6d52f2e26262d106
-
Filesize
520KB
MD53aed41880a85678454f071ae995c8f5d
SHA1577c4d3c3c44c8e2d1e1ea18c9d04f7add0e813f
SHA2566ebbeb5147674182d821eb45a2ad87389d9eb7e920ea4c3965abc8d732ff7e9d
SHA512d3143699cee7605dc4a5e8bb0a14a4a2d946614299bd85d308a0eb13002612cb25024fa8875d30af5823168a972924a520fe68a015779952f7e1c0842adb9b16
-
Filesize
520KB
MD554b345136339d140cd8d1ffa41f17d4c
SHA1e0d1011ca825e3fca682938e82ede96625fe35bc
SHA256f73db7bc05524dda6d9ec74deca536043a5b6dae404b65431ba731a07f99db7b
SHA5126510114abe47342ef9d3749fa4bc4784dd58787b48bb2a2332dd5c97cfd3459b62c52f39ee403879ba03d540bb663297ea44fb01605ce5b48a99dbd2984e51e0
-
Filesize
520KB
MD5306553145b664c72013f09d20630225b
SHA1f4135c086caa5b46c223fc78d54f7c511ca35958
SHA2566599550d1fd11d7be2be42ccf3caf5d5d71564f0b01111867c68ea6814402d40
SHA5125b54283f798eeaed6b807fbb5e693dc4c004b9646a43df2b3eb977510bf02c34e9ab5e6a6bdd4970712ef35b8b628fe5c6da8006299ef02ccc296941fad5c768
-
Filesize
520KB
MD5cccaa800697277d5bbee58e759de5ce9
SHA1693ca50de693e54c84711db2a63a3772702fa8ff
SHA2566ff2da474dec88793548b902bb474baad88cad7ae84012a6a5f50ab927c0b92a
SHA51297a277d91c36dbcd1cced1f618f0c89853db30bb0880ce382e54e3c1dcf790fed8c3f8587e3dddcb6a0b6bebc91982cac555c950742b6af6064d559cbebbb2b9
-
Filesize
520KB
MD5cf79cce44ef072452a7867bb920a595e
SHA1442b914aadefd50a55ff4517548e50779746ad14
SHA25647f1d263e83540857a51388cd0c5a55e0e9772b06f8fa8d6fda4b084e0bbca1b
SHA51298b13f452370eeb603020f12002af50f9676889ca461d083ac7181b5925c95dc56ca45c6fb8bd9ee0c8c0c141112df6f3373e04f46c226ff2c66f3a56b7e2d75
-
Filesize
520KB
MD5a55a9bda426b42b250db4e80daf728c2
SHA1a1464fc2974590caad76eb27130b3c9a9f8c3033
SHA256610144466b81a8f62e17bf60992d155d4e5e6bde24d19cf6fa99bfd9f4b5c085
SHA51272461dba7b2ab98b25c8bbbcbcfc906d1ab2b10f7ffd21306ce62fd9a5973f73d7636eeef98b019810c550c23d413e157af30c078c5f8bc46e6ad897926b5568
-
Filesize
520KB
MD55b65b29417553baf4e976925770e700e
SHA1ef33b9f0c437dc45772162becf735df287c5c64e
SHA256b0afbc666e147f06c1b436581d1727e0602be6219e3e99255ff16b98084de6c3
SHA51289571b29b45ad6745628513613c80b8913e5d934326c29fa962777d65ca7fa6dfab595e6145edcfe8392a5c33b360181bd4e9dd09fa34d5709de5969d45f5c03