blackshades | 4e517229d01c74d869a6b82b857472a9ebbc1df40776591c888956932f67a5ad

Analysis

max time kernel
148s
max time network
142s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
10/03/2025, 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e517229d01c74d869a6b82b857472a9ebbc1df40776591c888956932f67a5ad.exe
Size

520KB
MD5

82b6f933473c0a36687d46b366ddc3b0
SHA1

deb6f09c055591eaa075f35f91df73cc703b5b43
SHA256

4e517229d01c74d869a6b82b857472a9ebbc1df40776591c888956932f67a5ad
SHA512

125953741b4b8b4f0085718cd6a2708115fa224083792c30e2028429b4e5731f2540fc242a66949609ff05790983ed5b6721b391c56359388d5c562a24493553
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXQ:zW6ncoyqOp6IsTl/mXQ

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 9 IoCs

resource	yara_rule
behavioral1/memory/2232-714-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2232-719-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2232-722-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2232-723-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2232-724-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2232-726-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2232-727-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2232-729-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2232-731-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\TWMGELUKQHYPEOE\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWMGELUKQHYPEOE\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 28 IoCs

pid	Process
2460	service.exe
2344	service.exe
1740	service.exe
2872	service.exe
2300	service.exe
972	service.exe
1624	service.exe
1892	service.exe
2032	service.exe
2820	service.exe
2588	service.exe
1320	service.exe
2156	service.exe
844	service.exe
1464	service.exe
2260	service.exe
1504	service.exe
2836	service.exe
2176	service.exe
2820	service.exe
2764	service.exe
2244	service.exe
2332	service.exe
896	service.exe
2656	service.exe
1856	service.exe
2368	service.exe
2232	service.exe

Loads dropped DLL 55 IoCs

pid	Process
1860	4e517229d01c74d869a6b82b857472a9ebbc1df40776591c888956932f67a5ad.exe
1860	4e517229d01c74d869a6b82b857472a9ebbc1df40776591c888956932f67a5ad.exe
2460	service.exe
2460	service.exe
2344	service.exe
2344	service.exe
1740	service.exe
1740	service.exe
2872	service.exe
2872	service.exe
2300	service.exe
2300	service.exe
972	service.exe
972	service.exe
1624	service.exe
1624	service.exe
1892	service.exe
1892	service.exe
2032	service.exe
2032	service.exe
2820	service.exe
2820	service.exe
2588	service.exe
2588	service.exe
1320	service.exe
1320	service.exe
2156	service.exe
2156	service.exe
844	service.exe
844	service.exe
1464	service.exe
1464	service.exe
2260	service.exe
2260	service.exe
1504	service.exe
1504	service.exe
2836	service.exe
2836	service.exe
2176	service.exe
2176	service.exe
2820	service.exe
2820	service.exe
2764	service.exe
2764	service.exe
2244	service.exe
2244	service.exe
2332	service.exe
2332	service.exe
896	service.exe
896	service.exe
2656	service.exe
2656	service.exe
1856	service.exe
1856	service.exe
2368	service.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HWXUDEPVMKOJRFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NFVEMAABWBSNAHC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\VSRVIMIGWULLNIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYAHQGMDULKA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WAXLXIHLCMSLBBD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUTVQOVRGUCKB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TSEMEVNJEUNOYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPFQJHKWAXF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\XUTXKAOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSIOFWNBMC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MIFWUKKMHAEFOKY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUQSWUXINSFCRRE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\EDHYUVIOVVGAOXK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\SRVIMIFWUKKMHAE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PRHBYGQGLDULJAU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\QDAPXOCDYUPCYJE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWMGELUKQHYPEOE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\UYVJVGFJWYAKQXX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSRTOMTOESAI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\CEVRSNMHQXIEPIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRFFGBAGCXSFM\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMQDHDBRXPGGIDA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYDVTCWLBHPGFQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\RVSGSDCGYXTVHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPOQLJQMBPWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFDHCKVWSQSIVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGBAPQNWIO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\BCWTOBXIYDIXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSRTFJOCNWN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQRNLNDQYHSXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBUKLIRDJO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\EFABWRELGLYHTQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVUWIMRFCQYQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\RNMGQXHEOIJSVWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXCEUR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSJWSQAVHBVXCSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEKRCDQWNVJUKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBUSBBUK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCSSQYKR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TPDQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQBYNMNJHOJMUDO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGBCXSFMHMJURPT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTXVXJNTAGDSR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXJGKFNCDVTCDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSPJEETURAA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\UGEIDLWAXSRATJW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPGYQMHBBQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ANNHQXIEPIJSVXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTMRYKAKEYCFVRS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\JYXFGRXOMQLTHIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PHXGODCDYEUPCKE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQNBNYVBTXSOPCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1008	reg.exe
2800	reg.exe
2856	reg.exe
2032	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2232	service.exe
Token: SeCreateTokenPrivilege	2232	service.exe
Token: SeAssignPrimaryTokenPrivilege	2232	service.exe
Token: SeLockMemoryPrivilege	2232	service.exe
Token: SeIncreaseQuotaPrivilege	2232	service.exe
Token: SeMachineAccountPrivilege	2232	service.exe
Token: SeTcbPrivilege	2232	service.exe
Token: SeSecurityPrivilege	2232	service.exe
Token: SeTakeOwnershipPrivilege	2232	service.exe
Token: SeLoadDriverPrivilege	2232	service.exe
Token: SeSystemProfilePrivilege	2232	service.exe
Token: SeSystemtimePrivilege	2232	service.exe
Token: SeProfSingleProcessPrivilege	2232	service.exe
Token: SeIncBasePriorityPrivilege	2232	service.exe
Token: SeCreatePagefilePrivilege	2232	service.exe
Token: SeCreatePermanentPrivilege	2232	service.exe
Token: SeBackupPrivilege	2232	service.exe
Token: SeRestorePrivilege	2232	service.exe
Token: SeShutdownPrivilege	2232	service.exe
Token: SeDebugPrivilege	2232	service.exe
Token: SeAuditPrivilege	2232	service.exe
Token: SeSystemEnvironmentPrivilege	2232	service.exe
Token: SeChangeNotifyPrivilege	2232	service.exe
Token: SeRemoteShutdownPrivilege	2232	service.exe
Token: SeUndockPrivilege	2232	service.exe
Token: SeSyncAgentPrivilege	2232	service.exe
Token: SeEnableDelegationPrivilege	2232	service.exe
Token: SeManageVolumePrivilege	2232	service.exe
Token: SeImpersonatePrivilege	2232	service.exe
Token: SeCreateGlobalPrivilege	2232	service.exe
Token: 31	2232	service.exe
Token: 32	2232	service.exe
Token: 33	2232	service.exe
Token: 34	2232	service.exe
Token: 35	2232	service.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
1860	4e517229d01c74d869a6b82b857472a9ebbc1df40776591c888956932f67a5ad.exe
2460	service.exe
2344	service.exe
1740	service.exe
2872	service.exe
2300	service.exe
972	service.exe
1624	service.exe
1892	service.exe
2032	service.exe
2820	service.exe
2588	service.exe
1320	service.exe
2156	service.exe
844	service.exe
1464	service.exe
2260	service.exe
1504	service.exe
2836	service.exe
2176	service.exe
2820	service.exe
2764	service.exe
2244	service.exe
2332	service.exe
896	service.exe
2656	service.exe
1856	service.exe
2368	service.exe
2232	service.exe
2232	service.exe
2232	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2640	1860	4e517229d01c74d869a6b82b857472a9ebbc1df40776591c888956932f67a5ad.exe	30
PID 1860 wrote to memory of 2640	1860	4e517229d01c74d869a6b82b857472a9ebbc1df40776591c888956932f67a5ad.exe	30
PID 1860 wrote to memory of 2640	1860	4e517229d01c74d869a6b82b857472a9ebbc1df40776591c888956932f67a5ad.exe	30
PID 1860 wrote to memory of 2640	1860	4e517229d01c74d869a6b82b857472a9ebbc1df40776591c888956932f67a5ad.exe	30
PID 2640 wrote to memory of 2428	2640	cmd.exe	32
PID 2640 wrote to memory of 2428	2640	cmd.exe	32
PID 2640 wrote to memory of 2428	2640	cmd.exe	32
PID 2640 wrote to memory of 2428	2640	cmd.exe	32
PID 1860 wrote to memory of 2460	1860	4e517229d01c74d869a6b82b857472a9ebbc1df40776591c888956932f67a5ad.exe	33
PID 1860 wrote to memory of 2460	1860	4e517229d01c74d869a6b82b857472a9ebbc1df40776591c888956932f67a5ad.exe	33
PID 1860 wrote to memory of 2460	1860	4e517229d01c74d869a6b82b857472a9ebbc1df40776591c888956932f67a5ad.exe	33
PID 1860 wrote to memory of 2460	1860	4e517229d01c74d869a6b82b857472a9ebbc1df40776591c888956932f67a5ad.exe	33
PID 2460 wrote to memory of 2820	2460	service.exe	34
PID 2460 wrote to memory of 2820	2460	service.exe	34
PID 2460 wrote to memory of 2820	2460	service.exe	34
PID 2460 wrote to memory of 2820	2460	service.exe	34
PID 2820 wrote to memory of 2888	2820	cmd.exe	36
PID 2820 wrote to memory of 2888	2820	cmd.exe	36
PID 2820 wrote to memory of 2888	2820	cmd.exe	36
PID 2820 wrote to memory of 2888	2820	cmd.exe	36
PID 2460 wrote to memory of 2344	2460	service.exe	37
PID 2460 wrote to memory of 2344	2460	service.exe	37
PID 2460 wrote to memory of 2344	2460	service.exe	37
PID 2460 wrote to memory of 2344	2460	service.exe	37
PID 2344 wrote to memory of 2816	2344	service.exe	38
PID 2344 wrote to memory of 2816	2344	service.exe	38
PID 2344 wrote to memory of 2816	2344	service.exe	38
PID 2344 wrote to memory of 2816	2344	service.exe	38
PID 2816 wrote to memory of 480	2816	cmd.exe	40
PID 2816 wrote to memory of 480	2816	cmd.exe	40
PID 2816 wrote to memory of 480	2816	cmd.exe	40
PID 2816 wrote to memory of 480	2816	cmd.exe	40
PID 2344 wrote to memory of 1740	2344	service.exe	42
PID 2344 wrote to memory of 1740	2344	service.exe	42
PID 2344 wrote to memory of 1740	2344	service.exe	42
PID 2344 wrote to memory of 1740	2344	service.exe	42
PID 1740 wrote to memory of 1792	1740	service.exe	43
PID 1740 wrote to memory of 1792	1740	service.exe	43
PID 1740 wrote to memory of 1792	1740	service.exe	43
PID 1740 wrote to memory of 1792	1740	service.exe	43
PID 1792 wrote to memory of 2684	1792	cmd.exe	45
PID 1792 wrote to memory of 2684	1792	cmd.exe	45
PID 1792 wrote to memory of 2684	1792	cmd.exe	45
PID 1792 wrote to memory of 2684	1792	cmd.exe	45
PID 1740 wrote to memory of 2872	1740	service.exe	46
PID 1740 wrote to memory of 2872	1740	service.exe	46
PID 1740 wrote to memory of 2872	1740	service.exe	46
PID 1740 wrote to memory of 2872	1740	service.exe	46
PID 2872 wrote to memory of 2880	2872	service.exe	47
PID 2872 wrote to memory of 2880	2872	service.exe	47
PID 2872 wrote to memory of 2880	2872	service.exe	47
PID 2872 wrote to memory of 2880	2872	service.exe	47
PID 2880 wrote to memory of 2164	2880	cmd.exe	49
PID 2880 wrote to memory of 2164	2880	cmd.exe	49
PID 2880 wrote to memory of 2164	2880	cmd.exe	49
PID 2880 wrote to memory of 2164	2880	cmd.exe	49
PID 2872 wrote to memory of 2300	2872	service.exe	50
PID 2872 wrote to memory of 2300	2872	service.exe	50
PID 2872 wrote to memory of 2300	2872	service.exe	50
PID 2872 wrote to memory of 2300	2872	service.exe	50
PID 2300 wrote to memory of 1924	2300	service.exe	51
PID 2300 wrote to memory of 1924	2300	service.exe	51
PID 2300 wrote to memory of 1924	2300	service.exe	51
PID 2300 wrote to memory of 1924	2300	service.exe	51

C:\Users\Admin\AppData\Local\Temp\4e517229d01c74d869a6b82b857472a9ebbc1df40776591c888956932f67a5ad.exe
"C:\Users\Admin\AppData\Local\Temp\4e517229d01c74d869a6b82b857472a9ebbc1df40776591c888956932f67a5ad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempMUGNR.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEVNJEUNOYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPFQJHKWAXF\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2428
- C:\Users\Admin\AppData\Local\Temp\HDYRXPFQJHKWAXF\service.exe
  "C:\Users\Admin\AppData\Local\Temp\HDYRXPFQJHKWAXF\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempRMUJJ.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EFABWRELGLYHTQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:2888
- - C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe
    "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempENEYC.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGEIDLWAXSRATJW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:480
  - - C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe
      "C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1792
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKAOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2684
    - - C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2872
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXJRJD.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIFWUKKMHAEFOKY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2164
      - C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIBCQM.bat" "
        7⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UYVJVGFJWYAKQXX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJGPBH.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNMGQXHEOIJSVWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSVWIJ.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CEVRSNMHQXIEPIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRFFGBAGCXSFM\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\SKJRFFGBAGCXSFM\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SKJRFFGBAGCXSFM\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJGPBH.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ANNHQXIEPIJSVXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSJWSQAVHBVXCSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKXFTS.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMQDHDBRXPGGIDA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYGOFD.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBUSBBUK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSDWWL.bat" "
        14⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQRNLNDQYHSXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOWKLL.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGBCXSFMHMJURPT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTXVXJNTAGDSR\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\HUQTXVXJNTAGDSR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HUQTXVXJNTAGDSR\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIIRMV.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYXFGRXOMQLTHIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUFYAN.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RVSGSDCGYXTVHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLHQHF.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJGKFNCDVTCDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPPYAU.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQNBNYVBTXSOPCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJWDUN.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDHYUVIOVVGAOXK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFOKYX.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SRVIMIFWUKKMHAE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDXBNK.bat" "
        23⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVWSQSIVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXFGPK.bat" "
        24⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDEPVMKOJRFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAHC\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAHC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAHC\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEFOKY.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSRVIMIGWULLNIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFSAON.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WAXLXIHLCMSLBBD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVRGUCKB\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVRGUCKB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVRGUCKB\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQWNKO.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BCWTOBXIYDIXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOCNWN\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOCNWN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOCNWN\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJYWGR.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QDAPXOCDYUPCYJE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWMGELUKQHYPEOE\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\TWMGELUKQHYPEOE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TWMGELUKQHYPEOE\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\TWMGELUKQHYPEOE\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\TWMGELUKQHYPEOE\service.exe
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        30⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        31⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TWMGELUKQHYPEOE\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWMGELUKQHYPEOE\service.exe:*:Enabled:Windows Messanger" /f
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TWMGELUKQHYPEOE\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWMGELUKQHYPEOE\service.exe:*:Enabled:Windows Messanger" /f
        31⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        31⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        31⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempDGHQM.bat

Filesize
163B

MD5
0a642b13e305d30ca155412d35b152af

SHA1
781496d9955791faa48807abc37e66baaf0169f5

SHA256
1da282d9ea78c8ceacef47f322ce5a859f7514d84cb168119c85ef6bc174f797

SHA512
de8b280b6b40187615fdf3ab82d65a639c3e42251508328f6559a93b0e6c4a1b9b37b156b10f38c7dd068213d3dbe2871b1ff73670f056531fa4f76648df8578

Download Submit
C:\Users\Admin\AppData\Local\TempDXBNK.bat

Filesize
163B

MD5
2f8d9f8f839cefaf6e793c822df4b87c

SHA1
f12d7e789a19dc007186bbe483fc8244f76f6409

SHA256
894c1f0c748825d255dc02505fbc207346d341ffcaa0716bf777fc9d5f66b2e5

SHA512
7aafcc9c63587e06c1e1f28b1a809457f5921840b009b69d8c36107386f39a0a492bb13a5ab3b56416686f79cc33fb4f20a16c711670a3c568fe50f4b2712ecb

Download Submit
C:\Users\Admin\AppData\Local\TempEFOKY.bat

Filesize
163B

MD5
eb1981947d081f28fe8eefe71ba83464

SHA1
518f6efa878b2ceffc45965cee66ebc1358beeca

SHA256
ea0eefd90e9492d19be6d6a5b40601452f3c18cb5febc5f74c6a6ab2dd8081be

SHA512
27932aaf3523fae850e9b71981d1a573b86f6e838de12508ad3c3410fdb6cc66f3f0dc79394d9e803c73dba22f28eb5afe32c3d65fe00651ca55f38d7fa6f93e

Download Submit
C:\Users\Admin\AppData\Local\TempENEYC.bat

Filesize
163B

MD5
3e0dfc24ee5490d1acf6362c0bb7c20e

SHA1
b86db2741400b9dd84d6e0f9166688124db68564

SHA256
bb1be350990549a05c5197a7fa388e8d708e6b438ae6832bdcbe0892e400c656

SHA512
bea2582ac3e5ea4ee9a91271795815ffa2a81318c0d5bcacc4f72a8c8d614483ae2862a9aa45ae353aa515976044cc6e52609968092b385c337280ad81de1114

Download Submit
C:\Users\Admin\AppData\Local\TempFOKYX.bat

Filesize
163B

MD5
11b68cabe8569ca664245dab618b5c7e

SHA1
6ef2876d707696cfd3383c627c665b84b46b31fa

SHA256
ffcb75f1142bf59e3cf6428ab7783a4a61460760f50a6f8e5af7199a5285d564

SHA512
e732b5b4d1a53e2f30ee349ee8076a95d2ddbe05f0e6ef11274dc471007ba3af841c22e9ce5bb64b931b4f9c9bf5c0a11219048e6d0853e83b5a29a342b3d528

Download Submit
C:\Users\Admin\AppData\Local\TempFSAON.bat

Filesize
163B

MD5
74617bfcdeef6b6c917afe3606f98e6e

SHA1
874c4ed626c76c58006c79457183e0c13f47e7ec

SHA256
f5bc9d2b184c888e80f30e9ec8a54f63a9b2873609d1552061638d0a081c5243

SHA512
026b68f81ebc7ba6098533c313645efc40ddd4a4860b5806b5bf1a0257baa234b471adce9c6dbfdc868db7f1f0476899ff460683590284de51e65132c5129ab7

Download Submit
C:\Users\Admin\AppData\Local\TempIBCQM.bat

Filesize
163B

MD5
4ee0ac9fd9906f6947aa07400a0c6eb0

SHA1
889019ae0da9a4ec8a4c26f350266d5fe66d87d8

SHA256
f984d52f2337b3ac2be55c808a5f8745e0b284db69e3c083240622ae1066908d

SHA512
cd0e092b24c306e789073cc14985587631ef1864128c403751515356f2e4ccf2a246aa7f0b119e77f93bf9b9637755b661dbf82815c41595e8256dd7f0c8594f

Download Submit
C:\Users\Admin\AppData\Local\TempIIRMV.bat

Filesize
163B

MD5
97052a29f985457213f21c7e96e983c4

SHA1
770d694db41606e699fdc3c41e011fd89628000c

SHA256
eed7f3dfae3bfecebf023302c7c7cc499516fc81768e97bbe3934a6d069116af

SHA512
0e688a1cc310b94ad28b11566271f2618c10df3e525e1240451ffe3cd2f56903692bfe32f5a94a959d23b8ce2c006ca1bf1a4d4405dbec3bd9fea02b5980cf1f

Download Submit
C:\Users\Admin\AppData\Local\TempJGPBH.bat

Filesize
163B

MD5
ed6b9ff4ddc912cb5e4b9dea8b4eab46

SHA1
76088644ad856ef052be0511a66e55227937c96d

SHA256
42ce7a5e9fae45e628311783ba8bc11feb7f136b32a116f89935b46b64bd87e3

SHA512
52f394838fe2bf38eb858f9686a58545c6e9f9911c00c9271b42e19146a996be895646c260138790de95199d044a67fe418efb24e9113ae55ee7e4fbe6d9b175

Download Submit
C:\Users\Admin\AppData\Local\TempJGPBH.bat

Filesize
163B

MD5
204d107dd43ef702d111a72efa7285ae

SHA1
5ff359dffcb46bb4fec139f5c6a772ce63b921d2

SHA256
cfa4701cea969edc4871d7db3fc85aa9433f37db72cfc8c8b71d4adeb02b2abe

SHA512
d4c9a704015554497723bd537a6b0643e67888609036c16185d5fbf8d9922f85f2e18c242d3f9186b0fdb75d7ccfd7b36f1282434560f6a44180eb348257bc55

Download Submit
C:\Users\Admin\AppData\Local\TempJWDUN.bat

Filesize
163B

MD5
c72ea2c250692172faecceebe2f4ed3a

SHA1
81eaa58c521f7682cf335dd14a351e52cb56418b

SHA256
e3b6623c4fd759164e6d71df455d5f1d98a6158301cfbd6bb7916ef394da412f

SHA512
f2288bab962e20cd1d4202c755226eafeb82e561f786856f9fd20b554cf467f8628aa936b922090c09877c8600f6dbda062a2930814d795e83bdb36adbafa4ec

Download Submit
C:\Users\Admin\AppData\Local\TempJYWGR.bat

Filesize
163B

MD5
962273da44df0bb93c8029d1cd5e4f0f

SHA1
dac3ba8242c97ad4e7bca414e1798068b56510ed

SHA256
54bfee30be1fb00ea67722f796dc4ca9043bcedcc7d5d6a21bc717472acae682

SHA512
e2c853432db506d9a9b9334372d42afe27c61e8daa7cbde46b4fdae57311df25409327814698b65ab06393ede01e6b2743f7e206b83c81254acd8fb15ae57728

Download Submit
C:\Users\Admin\AppData\Local\TempKXFTS.bat

Filesize
163B

MD5
85842b09d2dea6667cbd548ebd2c2f39

SHA1
4a6bbfb6ada10a281cd14a93715cbd68fecf37b8

SHA256
6fdf41a5560410dbc0042c77162b6bd350cd664aaa17d4aee2f5017612c939ba

SHA512
d9ed6d2d98c9fd790028e4aa53df353d7c0feacef9b867598b2f989f3ca4cefae3503e0d0d23a1b44d56c781150a1582ca722a470f2c6eefd2b6b17105aebd88

Download Submit
C:\Users\Admin\AppData\Local\TempLHQHF.bat

Filesize
163B

MD5
f814f4259a2f98d4da28c79ed3a6bb4f

SHA1
b36d0e73e50229d7ad8821238034a6bd95cf482b

SHA256
eae0bace75f623e11d6b7ef774140e65632b6e3f4df9cb6f90138299c79aea68

SHA512
badd7876a8498ca1aa06c486d73d702210adc70aae2e996340a842443823ea76ac04c457d379d422ff2f451eb0ec2739fe13d4952b70a18dca85540a79cf7654

Download Submit
C:\Users\Admin\AppData\Local\TempMUGNR.bat

Filesize
163B

MD5
e65890858f7fb8dad52e80356b191005

SHA1
2c6e3801a0cc15203581fe5fef35fbe2883edc74

SHA256
54f999d041ba8ca3afddfbe7d58063ea4c3b83fd7463b3216b5e7b0aaa20336d

SHA512
0e8e3164328b88513002fd82fb81dfea8e91e3e08e1f80fbbd47e395409ac56c6ee2847bbdead49d0cceaa33231c415ee570a30ccf90b047e1b44212296f35fd

Download Submit
C:\Users\Admin\AppData\Local\TempOPYUB.bat

Filesize
163B

MD5
565a990e3d4584fb3d957dd2440fa6a9

SHA1
62dea069ef89b4920c451d6a2795059617ffde8e

SHA256
b9893fc932adb582c7c454701bcc51b52bb434b424326458d3d7949325f2c4aa

SHA512
dc244b0782afc936e05008f28831a70c63288c6f9e0d618eb1c036d2cddbaf0edeffb048b00dc62541f0341de1cd970d8ea984d09c178ee428fc444f2da70429

Download Submit
C:\Users\Admin\AppData\Local\TempOWKLL.bat

Filesize
163B

MD5
f1da3ec92c947e8de5d91b7a588f8fc5

SHA1
3463f14e6ae4c53b4d3e421b286b98c3982ce84d

SHA256
c9888a0284ca05e0ef65997b2dfefea4b35356f832f4fe50a9fdaf01e4be1d19

SHA512
e08ec0d29cb19b978f8f6e6dab4b7ddc34dd352021cfc56ed679ac0ad6b55d7a6cd68562c7624c38487e4cd592fd65e82e46c7e2212a7e98e64d287fcd7c6387

Download Submit
C:\Users\Admin\AppData\Local\TempPPYAU.bat

Filesize
163B

MD5
67410272d22b9bbd70ed450766c8c68e

SHA1
55cbd18ea08b9bf89e1dec51c5f1d91322dd8365

SHA256
0c8d1a8baa608fa81bd4c532058ab5aefbc77eb6991b1c74be9eba3a8f07b05b

SHA512
373b6cd7cef1b425a8614df4a8b617a5e4399239f34da9fe01d7939cdb4c7853fbb5d58ad64200cbdb1087726688a7c6ed8aff62fe9014b3057ca85b77bfc45e

Download Submit
C:\Users\Admin\AppData\Local\TempQWNKO.bat

Filesize
163B

MD5
ae0375c80c1d645ee32658760f02ba54

SHA1
7212226e73002c6a445686b11e3d65331d7d7893

SHA256
08c41e868378fc000434ac5c72630d4c2d1718805dc366d9f985fad455fe6efa

SHA512
6b04d866ec95afd645c5bd5f7b8b2b95802a9c70723f82e5be57912aea33e863036ee294be6ceb6858eb4011b8929971dbd31c3a0f9addac5b846560c86f1b99

Download Submit
C:\Users\Admin\AppData\Local\TempRMUJJ.bat

Filesize
163B

MD5
1bc3fea9f47b62158e96f9c887c4e15a

SHA1
4e79a920c7df0a3bc564f074a3a52a6f736367a9

SHA256
3bea3ce73171f8373ec63b4ad065f6a7d149d3125c116cec1a0096401d95b321

SHA512
e4114ff25e7217bf639128720921b9ece015dd4389eb634315a3217b54f92a04ddaaf7cbc362d9c2a0022489584afbb4d720ced750dc0e831c14957b17521e89

Download Submit
C:\Users\Admin\AppData\Local\TempSDWWL.bat

Filesize
163B

MD5
f041eccce7f551790b2c0f141c2371ba

SHA1
180afe3a0774c0ed883589e5976d5fbaf2c281e0

SHA256
a05bd12817a17601f3763fbbb889159320bbd652b56ef34bb1f6105193903d42

SHA512
dbd390f540aaf5124445511d977a49889dc010c9715bf89fea123840304de65da6c0da5804ea5312635bd35c6962110abcb0e19d2e5bc8a773cf8d0d6420acc8

Download Submit
C:\Users\Admin\AppData\Local\TempSVWIJ.bat

Filesize
163B

MD5
22a9454c0a08a264322d22b0f85ebbe1

SHA1
4b2e8e779a093e437d0c5113890df2ab5f636705

SHA256
a75e5230b9ff7baa7c0cd42bdb235bd1e9df705023baa3faed7a541e530519d7

SHA512
fc5e18ba883aa67e2fb68436d84e1fa7fa7ee2f118ef7effa61e0dd576c2d81bdf6b7a0d2f4a480ca1b73ff98a68b96ec91c93586c19b4d8f37142fede6cde42

Download Submit
C:\Users\Admin\AppData\Local\TempUFEIV.bat

Filesize
163B

MD5
9011633853bef6a0f9b96c296cf872d6

SHA1
ddba6cc73ae875c79374b2e1fb1a2177de41f653

SHA256
1f3d96b6be86188220dcbe190aa898547e968865b2a912f471b665c90972344a

SHA512
805e2a01ef76162a9351d524e6aca20599b7077b1b49cf65ba05bae46140f27edce2063ac3fc83bec98839d80e0fb7b498f70bed7f2f816660e6d84c429945e1

Download Submit
C:\Users\Admin\AppData\Local\TempUFYAN.bat

Filesize
163B

MD5
10e58ac500f28d3bd87a6b66ad6b337a

SHA1
c88155419d3fa93423c816a6ab34e355c7be02d3

SHA256
f4073b688587e96e1eef3fafc77db30f70aba207a4c2636f5183e4f3609b4994

SHA512
b8b96bfc26895cc16a0756d73e8651eed5bd8b4cc8de19603619692ed46d58c3f8dfb42edac606c51b803cc8c38322d5356de8df370924a043be53ccdb2acea3

Download Submit
C:\Users\Admin\AppData\Local\TempXFGPK.bat

Filesize
163B

MD5
ea52b23fac094cac240e14a3a7f71c80

SHA1
da554180086078f0c2c875c96bc7b6d8a0fa9388

SHA256
2b983376d9b33438d9ae495766b75607031353063256e11e88a67c728f0d74e4

SHA512
8dae6e6b9700bf2430cbb2370df7a2c5629d511d40c99605aaecde5d0609e7c61bb559abb211cb6e507ab7533805e005669e7f765c32f48fb2afb9afcecbde3d

Download Submit
C:\Users\Admin\AppData\Local\TempXJRJD.bat

Filesize
163B

MD5
63d47bcb64f6b5b477cb21a19520f21d

SHA1
e184b412737b11cf839368fad9bc0d065a7e6347

SHA256
8b74efb15915339bfb81c5600e86a05666f69aea51cabb044e26ca6887daf2ff

SHA512
9a7f6a98096cad3654e38222fcb5fda41db585584ac0a99f739e732eec2dab6fd8b0990f804e32d9070319fc573464e3f0a3f672e169008231004a57f0ef4460

Download Submit
C:\Users\Admin\AppData\Local\TempYGOFD.bat

Filesize
163B

MD5
1c8a1be9bc3ebb31b2592214152bb854

SHA1
ad9dc2375b15466336615991e8f93396679cd5c7

SHA256
8276331203d869e2ccf20aa4070d1e22a3682ad54d69c4df288e5fb86522d8cb

SHA512
0b6179be6de759b1b4cd1597df2cc6df1de0223ef6b238cfbd33e6655e136fe8559094d8fea5dc783f79b33d91ea744ef491a6df1f420951c31626ad13dc7d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe

Filesize
520KB

MD5
0f97c64b33b8b668c6e058d400ef4237

SHA1
6874111144230798a8b0530a70427eb4f5dcd12f

SHA256
cb91e02f1d14709d2bffac8c928a526208d08bc9fc7b48789df23f8dcfb07b98

SHA512
686c50adfc4f5158cc4c56bdc6634ed25d036e6c2a1d20bc756c046a0d6a9b16628bbeae6c0268e9b3d5a3e4b89350553942a7a13941d4f3fc38d19d33ad61fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HDYRXPFQJHKWAXF\service.exe

Filesize
520KB

MD5
453e2906b64b11cf8708dbdca3e97ccb

SHA1
5dc5d205f49ff3ef7a683a47de631cdc4d6affc2

SHA256
75f6c273790f8df37b3339883300490d22625635c526db33b0403d489ea7fc6b

SHA512
0b173088a71792136c39aa1e9b150545397355041eb487bea98141268f782a9d87c0c116d7307a4fa7b89eecf5b4c87beaf8c8512060a5aecc5a8c90422b3bd5

Download Submit
\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe

Filesize
520KB

MD5
6af95cb67f90bed84e81853dd7acae35

SHA1
1ea92804ca0008585914a7aac265d5ca8bf1982f

SHA256
11ee295ba73215cb44519bde6ac48f806d14897dd4880d3dc2518cf719fc7973

SHA512
55a1d4ed63d1ed0ebb0276caa607a679650083035a6c38439f781ff5ff9ba6426bc643f46042c714e2765a8388b2a625173f80401a324c975fcf75957126011f

Download Submit
\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe

Filesize
520KB

MD5
6ca1a4756d3968b45d2d03648d539de8

SHA1
75d1442a4012a59294567cbc4b3d9d199b763dc8

SHA256
776f7cc5a729fc072d3e59ec0f154137d4e67117a25daddfd2f30d335aa2a5af

SHA512
2d8d2e1503e9735bee2a79b32ae2b1cd54b09b6fcab1d0a027acea548ae11e2490ebb7775a74b6f7ff4ae82bdb197111fb26061e571a7d9247ffee3393fe121e

Download Submit
\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe

Filesize
520KB

MD5
27d2d58cd4965c141287447e555db1ae

SHA1
eb8190262fe4117052aaed2b2a68966b9def05d0

SHA256
d73a5999b4d05df0d38df8a7b5b1fc6ecb28e7b81b90fd28624bda4c9af500fb

SHA512
1a1048c859d581c15f90ce442c482c43296f26385682f0051db3454d2644728b1888ab5ab3eff44274f7f80d580810752bb501bdd6e5bfbfdb6cacfb7532c653

Download Submit
\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe

Filesize
520KB

MD5
c916cbedeecaad23a9c01783711204dc

SHA1
2cbd78fc2bf594c294b398e2198e9558accb02b1

SHA256
1b07b0a6537b8e82a13f79501460d9bb877bc0c2369f5602ae18131a94582a3d

SHA512
d73259884a22ebec6b660c8db3d4c9b0b3c273a733047710dac57b41f105ff070eecff935bf218a8826f6041a8a65b45c845c77a868960fb0ae5d873dd4c0065

Download Submit
\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe

Filesize
520KB

MD5
6d1930baf7c3fed13716cf19cd9b71bd

SHA1
b731a63882a611b0df7f3aeeafd10fe2bb8a954e

SHA256
0df1e1dc5f247f12ad39338fc77f92cbb55765343089cb388aeec6c79a9fc9b7

SHA512
1ba236fa808d155cb09bb947966a870e41b6d3ff3971791e783938ab7d61400cc012cfcf4757d05c3041873f504270919749ee37323a79b164ad6c0dbf1fb01c

Download Submit
\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe

Filesize
520KB

MD5
5b2dbfc361b2a577b5b90e60456e5bf4

SHA1
d47c23204e7a365ec4896fd1438ecec852b6e43c

SHA256
5421ac4a5dfcc1783b177e22768d50717069aa6d204d5a0e138d418745dcb7ac

SHA512
612de04e3e1b3787d6b2842b27a483ea264086472cd970465e3772e05595702d389e2e33e6f3f48e894d08b15c9b18281ca3f51efdb05c32409b963e32d98d05

Download Submit
\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe

Filesize
520KB

MD5
f9510b3aa976d476da4d66e2a00f5e71

SHA1
94a81f8605f320bac9de1ec52f973c896bb13b3d

SHA256
8172283aaf73d30044eebdf11c5c52dfe8a32520f38b496e7dec6011b0f089ad

SHA512
01966d92fc225edd48ac5e43bfc6edb947d627a5020495a8f532eacaea1213bc6deebd9904547c3c93e8f5b97fa2eebb7624a9445024601ecaec4a6232e1f1ab

Download Submit
\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe

Filesize
520KB

MD5
71010aed668e266ea0eb5061eea341e5

SHA1
7ede6fe3ebe235a5bc86f2f249767943ae4ab436

SHA256
4c6892c1a56477b2401356c188f1f5772dbad70193fd5ba22603841a07559be7

SHA512
fd0f2218175cf3f27531143e55a572087ab9e88128e56ae29e6e5023f5342bd29eac5c055bbabd8cf72d1de012405aa603f73e690cf0d10474ce40d99983df51

Download Submit
\Users\Admin\AppData\Local\Temp\SKJRFFGBAGCXSFM\service.exe

Filesize
520KB

MD5
4013f03468525209de6baf15a039646b

SHA1
34be1dad989028d0ff0ff96836b61b65de95f717

SHA256
be7cd994c2706c070a48a39e4f2094b4badfa05971431a492b8830d7344b4222

SHA512
c54b8a6f46761158b80ce9039fa29b219b7161083221a1bfe0694fcfbbc2e01594108c3f20ca2451a77f82e5b94792448f811020d2077a2691a4ae5dcb1f61f9

Download Submit
\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe

Filesize
520KB

MD5
f20ef0cf735c9cd2b60e15559b7f9062

SHA1
d366a27dcbd436f8592624f55ba8c54b84d834b7

SHA256
061153fac330f5a34643170f4c9a49ccaf011d373baea27c3d8426630734a291

SHA512
eb04d6d4f445e8cafd0508957cc8f32d1a2c2baa8db04637a9b2189e493ffa011a62a5ad4cd716d2d0fcd5f25de8f41c554ad3a78811548fc04907f68a1e87fb

Download Submit
\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe

Filesize
520KB

MD5
5661071ea9865107656eacae8d1a6548

SHA1
2d92dba3c9a6163490239b419a19bbe49edc46d0

SHA256
3f1b61503374b57c9b6f94a31be9fcf1a1f76c2c21d98e0a8bd2ed6450f8e133

SHA512
524646cb220bacf2d069dcdbee06c9aa6dd414f7eb325432b46ce9f5622e5101336547d061f28362ca25eba96727e7aed28eaa5a3eb324383f4ba63caade900b

Download Submit
memory/2232-714-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2232-719-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2232-722-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2232-723-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2232-724-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2232-726-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2232-727-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2232-729-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2232-731-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads