blackshades | 6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
10/03/2025, 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe
Size

520KB
MD5

47f9bf098bb140399c8a3c56a698f762
SHA1

56235e0c3485a9f512cc060aaf1292ab917cd89c
SHA256

6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233
SHA512

cd0daa0f327a5f17da7f3c948341b5345d81ff9256db64ecfb770f443ca37478eed21e8745b98b39b3cf50959d30e877903b74855e93e00233a12f186a09056b
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXy:zW6ncoyqOp6IsTl/mXy

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 10 IoCs

resource	yara_rule
behavioral1/memory/2004-810-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2004-815-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2004-816-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2004-818-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2004-819-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2004-820-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2004-822-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2004-823-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2004-826-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2004-827-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMBLB\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICBIRHNEVMBLB\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Executes dropped EXE 32 IoCs

pid	Process
2904	service.exe
2868	service.exe
3028	service.exe
608	service.exe
692	service.exe
1828	service.exe
2340	service.exe
1472	service.exe
1936	service.exe
2656	service.exe
2740	service.exe
3052	service.exe
2248	service.exe
1500	service.exe
2020	service.exe
2616	service.exe
1712	service.exe
2284	service.exe
2784	service.exe
2360	service.exe
2980	service.exe
2132	service.exe
2676	service.exe
2140	service.exe
2580	service.exe
2340	service.exe
2180	service.exe
2840	service.exe
2036	service.exe
1276	service.exe
2660	service.exe
2004	service.exe

Loads dropped DLL 63 IoCs

pid	Process
2348	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe
2348	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe
2904	service.exe
2904	service.exe
2868	service.exe
2868	service.exe
3028	service.exe
3028	service.exe
608	service.exe
608	service.exe
692	service.exe
692	service.exe
1828	service.exe
1828	service.exe
2340	service.exe
2340	service.exe
1472	service.exe
1472	service.exe
1936	service.exe
1936	service.exe
2656	service.exe
2656	service.exe
2740	service.exe
2740	service.exe
3052	service.exe
3052	service.exe
2248	service.exe
2248	service.exe
1500	service.exe
1500	service.exe
2020	service.exe
2020	service.exe
2616	service.exe
2616	service.exe
1712	service.exe
1712	service.exe
2284	service.exe
2284	service.exe
2784	service.exe
2784	service.exe
2360	service.exe
2360	service.exe
2980	service.exe
2980	service.exe
2132	service.exe
2132	service.exe
2676	service.exe
2676	service.exe
2140	service.exe
2140	service.exe
2580	service.exe
2580	service.exe
2340	service.exe
2340	service.exe
2180	service.exe
2180	service.exe
2840	service.exe
2840	service.exe
2036	service.exe
2036	service.exe
1276	service.exe
1276	service.exe
2660	service.exe

Adds Run key to start application 2 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWSGTECHYUVINVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UBTDPPQLJQMBPWG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\INJJVSPTOWLMELM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGGHCAHDYSGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\SGHCADYTGNINJVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRUXWYKOTABHES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\AUWKWHGKXYBLRYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWLKLHFMHXKSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\DXCPFTPMRERTOHL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WYOIBGNXNSKSGQH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\SGHCADYSGNINJVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRUXWYKOTABGES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\WTSWJANJHXVMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICBIRHNEVMBLB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\YLNIGJYMTCOSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBQUGHEMFJYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\WVRSFKRSDWWLUHG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTKUNMOAEJXWI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEYDQGUPNSFSUPI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCHOXAAOTLTHR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\WJLGEHWKRAMQBNV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLVDYOSXEFCKDIW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\QERCAFXWSTGLSTE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNNOJHOKNUEPU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\MQNBNVBTXSOQCIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\KYEOXVFCMGHXQTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQJPWHIBVACSPPL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\NREIECSYQHHJEAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LODWUDWMCHQHGRO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\GKYHHTPNRMUJKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFBVQEL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\IXYVEEQWMKOJRGH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGVFNBACWCTNBID\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAIRYJFAQJKTWYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\JOCNWNBCWTOBXIY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WDVGSRSOMTOERIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYXBOESOMRDQTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYNHAGNWMRJRFQG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\REMDVNJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYQWPFPIHJWXES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\XVANDRNKPCPRMFI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UWMGELULQIQEOFB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLDUMIDTMNXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOEPIGJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\OFDOMKPCGCQWOEE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JLXXBYTSAYUKXAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\UGDHDKWAXSQATIW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPGYPMHBBQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\ARIHSPOSFJFDTRI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHDYSGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\XVTYLBPLIXNANPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SUKECJTJOGXOCMD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\TXUIUFEIWXJPWWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRQSNLSODRYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\BDXUOCYJEIYWFRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPCAOWO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIIKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDIARIHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\MTXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKFETUSAB\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1160	reg.exe
1336	reg.exe
628	reg.exe
3036	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2004	service.exe
Token: SeCreateTokenPrivilege	2004	service.exe
Token: SeAssignPrimaryTokenPrivilege	2004	service.exe
Token: SeLockMemoryPrivilege	2004	service.exe
Token: SeIncreaseQuotaPrivilege	2004	service.exe
Token: SeMachineAccountPrivilege	2004	service.exe
Token: SeTcbPrivilege	2004	service.exe
Token: SeSecurityPrivilege	2004	service.exe
Token: SeTakeOwnershipPrivilege	2004	service.exe
Token: SeLoadDriverPrivilege	2004	service.exe
Token: SeSystemProfilePrivilege	2004	service.exe
Token: SeSystemtimePrivilege	2004	service.exe
Token: SeProfSingleProcessPrivilege	2004	service.exe
Token: SeIncBasePriorityPrivilege	2004	service.exe
Token: SeCreatePagefilePrivilege	2004	service.exe
Token: SeCreatePermanentPrivilege	2004	service.exe
Token: SeBackupPrivilege	2004	service.exe
Token: SeRestorePrivilege	2004	service.exe
Token: SeShutdownPrivilege	2004	service.exe
Token: SeDebugPrivilege	2004	service.exe
Token: SeAuditPrivilege	2004	service.exe
Token: SeSystemEnvironmentPrivilege	2004	service.exe
Token: SeChangeNotifyPrivilege	2004	service.exe
Token: SeRemoteShutdownPrivilege	2004	service.exe
Token: SeUndockPrivilege	2004	service.exe
Token: SeSyncAgentPrivilege	2004	service.exe
Token: SeEnableDelegationPrivilege	2004	service.exe
Token: SeManageVolumePrivilege	2004	service.exe
Token: SeImpersonatePrivilege	2004	service.exe
Token: SeCreateGlobalPrivilege	2004	service.exe
Token: 31	2004	service.exe
Token: 32	2004	service.exe
Token: 33	2004	service.exe
Token: 34	2004	service.exe
Token: 35	2004	service.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
2348	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe
2904	service.exe
2868	service.exe
3028	service.exe
608	service.exe
692	service.exe
1828	service.exe
2340	service.exe
1472	service.exe
1936	service.exe
2656	service.exe
2740	service.exe
3052	service.exe
2248	service.exe
1500	service.exe
2020	service.exe
2616	service.exe
1712	service.exe
2284	service.exe
2784	service.exe
2360	service.exe
2980	service.exe
2132	service.exe
2676	service.exe
2140	service.exe
2580	service.exe
2340	service.exe
2180	service.exe
2840	service.exe
2036	service.exe
1276	service.exe
2660	service.exe
2004	service.exe
2004	service.exe
2004	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2180	2348	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe	30
PID 2348 wrote to memory of 2180	2348	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe	30
PID 2348 wrote to memory of 2180	2348	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe	30
PID 2348 wrote to memory of 2180	2348	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe	30
PID 2180 wrote to memory of 2560	2180	cmd.exe	32
PID 2180 wrote to memory of 2560	2180	cmd.exe	32
PID 2180 wrote to memory of 2560	2180	cmd.exe	32
PID 2180 wrote to memory of 2560	2180	cmd.exe	32
PID 2348 wrote to memory of 2904	2348	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe	33
PID 2348 wrote to memory of 2904	2348	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe	33
PID 2348 wrote to memory of 2904	2348	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe	33
PID 2348 wrote to memory of 2904	2348	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe	33
PID 2904 wrote to memory of 2732	2904	service.exe	34
PID 2904 wrote to memory of 2732	2904	service.exe	34
PID 2904 wrote to memory of 2732	2904	service.exe	34
PID 2904 wrote to memory of 2732	2904	service.exe	34
PID 2732 wrote to memory of 3040	2732	cmd.exe	36
PID 2732 wrote to memory of 3040	2732	cmd.exe	36
PID 2732 wrote to memory of 3040	2732	cmd.exe	36
PID 2732 wrote to memory of 3040	2732	cmd.exe	36
PID 2904 wrote to memory of 2868	2904	service.exe	37
PID 2904 wrote to memory of 2868	2904	service.exe	37
PID 2904 wrote to memory of 2868	2904	service.exe	37
PID 2904 wrote to memory of 2868	2904	service.exe	37
PID 2868 wrote to memory of 2296	2868	service.exe	38
PID 2868 wrote to memory of 2296	2868	service.exe	38
PID 2868 wrote to memory of 2296	2868	service.exe	38
PID 2868 wrote to memory of 2296	2868	service.exe	38
PID 2296 wrote to memory of 576	2296	cmd.exe	40
PID 2296 wrote to memory of 576	2296	cmd.exe	40
PID 2296 wrote to memory of 576	2296	cmd.exe	40
PID 2296 wrote to memory of 576	2296	cmd.exe	40
PID 2868 wrote to memory of 3028	2868	service.exe	41
PID 2868 wrote to memory of 3028	2868	service.exe	41
PID 2868 wrote to memory of 3028	2868	service.exe	41
PID 2868 wrote to memory of 3028	2868	service.exe	41
PID 3028 wrote to memory of 2796	3028	service.exe	42
PID 3028 wrote to memory of 2796	3028	service.exe	42
PID 3028 wrote to memory of 2796	3028	service.exe	42
PID 3028 wrote to memory of 2796	3028	service.exe	42
PID 2796 wrote to memory of 1956	2796	cmd.exe	44
PID 2796 wrote to memory of 1956	2796	cmd.exe	44
PID 2796 wrote to memory of 1956	2796	cmd.exe	44
PID 2796 wrote to memory of 1956	2796	cmd.exe	44
PID 3028 wrote to memory of 608	3028	service.exe	45
PID 3028 wrote to memory of 608	3028	service.exe	45
PID 3028 wrote to memory of 608	3028	service.exe	45
PID 3028 wrote to memory of 608	3028	service.exe	45
PID 608 wrote to memory of 2112	608	service.exe	46
PID 608 wrote to memory of 2112	608	service.exe	46
PID 608 wrote to memory of 2112	608	service.exe	46
PID 608 wrote to memory of 2112	608	service.exe	46
PID 2112 wrote to memory of 2144	2112	cmd.exe	48
PID 2112 wrote to memory of 2144	2112	cmd.exe	48
PID 2112 wrote to memory of 2144	2112	cmd.exe	48
PID 2112 wrote to memory of 2144	2112	cmd.exe	48
PID 608 wrote to memory of 692	608	service.exe	49
PID 608 wrote to memory of 692	608	service.exe	49
PID 608 wrote to memory of 692	608	service.exe	49
PID 608 wrote to memory of 692	608	service.exe	49
PID 692 wrote to memory of 1796	692	service.exe	50
PID 692 wrote to memory of 1796	692	service.exe	50
PID 692 wrote to memory of 1796	692	service.exe	50
PID 692 wrote to memory of 1796	692	service.exe	50

C:\Users\Admin\AppData\Local\Temp\6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe
"C:\Users\Admin\AppData\Local\Temp\6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGTECHYUVINVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UBTDPPQLJQMBPWG\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2560
- C:\Users\Admin\AppData\Local\Temp\UBTDPPQLJQMBPWG\service.exe
  "C:\Users\Admin\AppData\Local\Temp\UBTDPPQLJQMBPWG\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempTAXXR.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WVRSFKRSDWWLUHG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:3040
- - C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe
    "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempIKFBC.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2296
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ARIHSPOSFJFDTRI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDYSGN\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:576
  - - C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDYSGN\service.exe
      "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDYSGN\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLNWSF.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEYDQGUPNSFSUPI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCHOXAAOTLTHR\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1956
    - - C:\Users\Admin\AppData\Local\Temp\XPJCHOXAAOTLTHR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCHOXAAOTLTHR\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:608
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUQQFO.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INJJVSPTOWLMELM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYSGN\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2144
      - C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYSGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYSGN\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKIQCI.bat" "
        7⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIRYJFAQJKTWYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDIXYV.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JOCNWNBCWTOBXIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DXCPFTPMRERTOHL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNLPKS.bat" "
        10⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDXUOCYJEIYWFRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKLUQD.bat" "
        11⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOESOMRDQTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIIKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBTXSP.bat" "
        13⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WJLGEHWKRAMQBNV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDIW\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDIW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDIW\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXXMVI.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QERCAFXWSTGLSTE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMIQHF.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MTXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPTOWL.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:356
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHCADYTGNINJVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABHES\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABHES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABHES\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJAACD.bat" "
        17⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUWKWHGKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIECSYQHHJEAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCHQHGRO\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\LODWUDWMCHQHGRO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCHQHGRO\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJSOWO.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GKYHHTPNRMUJKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBVQEL\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBVQEL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBVQEL\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDHIRN.bat" "
        20⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVTYLBPLIXNANPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SUKECJTJOGXOCMD\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\SUKECJTJOGXOCMD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SUKECJTJOGXOCMD\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPYAUT.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQNBNVBTXSOQCIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempACPYL.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TXUIUFEIWXJPWWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLNIGJYMTCOSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVANDRNKPCPRMFI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTFMQC.bat" "
        25⤵
        
        PID:268
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDUMIDTMNXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe" /f
        26⤵
        Adds Run key to start application
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPTOWL.bat" "
        26⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHCADYSGNINJVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGBIWE.bat" "
        27⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OFDOMKPCGCQWOEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JLXXBYTSAYUKXAF\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\JLXXBYTSAYUKXAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JLXXBYTSAYUKXAF\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
        28⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "REMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWXES\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWXES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWXES\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempENEYC.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGDHDKWAXSQATIW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe" /f
        30⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGHENF.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYEOXVFCMGHXQTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe" /f
        31⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXGHPL.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IXYVEEQWMKOJRGH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCTNBID\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCTNBID\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCTNBID\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCFGPL.bat" "
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTSWJANJHXVMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMBLB\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMBLB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMBLB\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMBLB\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMBLB\service.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        35⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMBLB\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMBLB\service.exe:*:Enabled:Windows Messanger" /f
        34⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMBLB\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMBLB\service.exe:*:Enabled:Windows Messanger" /f
        35⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        35⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        35⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempACPYL.bat

Filesize
163B

MD5
adc9cac2427b8d4c731806d76ce77981

SHA1
0a8f79b1d799052be679f429e28c8ec61fbd4f99

SHA256
7cf13c1dff247593daa4667e2446ea1b686cf218a3b470fa8ead51d5eca0cdb2

SHA512
d083bbd4d449dde8fd966bd20b8ea4621763442de52188b016d55df3ded396a16d1b921e7278e80043cb741d81b7f2fc26ea9842d22ea5acb8cf635d4da3b5be

Download Submit
C:\Users\Admin\AppData\Local\TempBTXSP.bat

Filesize
163B

MD5
2c697172bdfa07db7b67cfe434c5d485

SHA1
980edb9d879a4faf10012aa7bf70135a37bc2c8b

SHA256
4cd11d6a426684082d44d06b7b5e59f8ec06df066986e46f8817f8257bd16959

SHA512
d0a63928d7cf5b7789fa00c979d64efd09c6f629975bb2af7841baa889c420e3de3643352d822c408fc27331118360aa392da5ca3f7a5deb0b256e6657928534

Download Submit
C:\Users\Admin\AppData\Local\TempCFGPL.bat

Filesize
163B

MD5
b17ff86588db5bfcc3aba6952d586641

SHA1
3e1efdd71a03b2932f0e68b719acba9d615f344d

SHA256
449b9393312550065d7142d8c52202d3e438c245565f94deb86fb4b4f8c45b25

SHA512
491e7218d928fd6fd4f0b5c156a86488fbe50b2603a295cb6fe52409bc03d5fa7262475d87e30767eae9858d7a9f1dc4f8a7ee163b147e0c609f83582f4bc718

Download Submit
C:\Users\Admin\AppData\Local\TempDHIRN.bat

Filesize
163B

MD5
2fdcd9d2236a42565c834c18cd746d9c

SHA1
0f8dc5f6fd8766526e95f7dc1af821c880a3d17c

SHA256
e40495cc17620ede5fce1c99444af3d23be9bc642aa1c56f8ca13da953495cca

SHA512
da7dcfc6608bccb7fa4d4fb6c7c680042a306dc1a9ff1b1223045d7869fa3a39701f04a0e4d83f3f12cd306b06d2c11a1d6aa54ae5ee3546c8f7179923a94cf0

Download Submit
C:\Users\Admin\AppData\Local\TempDIXYV.bat

Filesize
163B

MD5
718af40b67f2e161d4e889d1f9acdf24

SHA1
23d9d6fd9cf4a582b4a12a4b0a87c6dd6eaf80e3

SHA256
1b4b08d7fc6047f5a84af6362e51b98ba3eb8439a61ca2c9d058424aa542cb29

SHA512
419a15ac5c10043c9f64060243d0a8607cb454dd58af7bfe619646ed8f7b22b40386d2b990a7f0a6d1bcf4bc78ec7fc3c417de259676a3525958e65ef744c954

Download Submit
C:\Users\Admin\AppData\Local\TempENEYC.bat

Filesize
163B

MD5
450df8792ce97b3b149ee477a338f126

SHA1
5ed11369cc5067502ff2e23e0fba08508ac08e85

SHA256
5bcbd88e62ecbb95519094c7fe1966d29d68cdce5c2ad72fb3ff427b4b598624

SHA512
cb16108bc5c8dfc4e092b71b448505353b2a5bd103f436a88bb7d0705b61717a1a38eac618927d27e61f62af07facde2bafe77d616950c29477968debbf870b6

Download Submit
C:\Users\Admin\AppData\Local\TempGAOXK.bat

Filesize
163B

MD5
1431b0d3de88fe4d9aa73b59ab551768

SHA1
0caaeb2476cd6be7bc4cff64d5f1c68d33cfe9f7

SHA256
4db449b9b102b108cf9c1076ca3d6f78ff1ce72233a4fefeb04d7f3f662f2c9a

SHA512
88c5b60612b7171e632bb07992fae46e69c139dcf7ed24e7e16f65d93b209f63443c73580e98293e92249689323762603bb9ae6235a599f226fa1f88bc7a08a0

Download Submit
C:\Users\Admin\AppData\Local\TempGBIWE.bat

Filesize
163B

MD5
76b7b2c2561e50042e6eb278eaaf0377

SHA1
46c62b0270ae7ba05c39792693822bf124cf21ee

SHA256
bab867dbb94349373f8fe50515e3455dbe3a746a9091ecaac64ce624e670fa66

SHA512
996f7441aee123fb419fa60f770e7ae108d582de869c529b2145b4145c535582dd75ba0c7fc4d56fe8246ecf859628af0ebcb273dc4d118c705af44b7861847a

Download Submit
C:\Users\Admin\AppData\Local\TempGHENF.bat

Filesize
163B

MD5
a704564f3da487e3e6af437ec767506d

SHA1
53b7c5cec79a31f0430bc61575ae14241f4a7ad3

SHA256
c36b5f0db1b0950027a5e64234c1c3d4265d9caadea3990cfa3da0c1acd7d0ad

SHA512
eba2979a083eace0a966dfb68930731354f9f510d663c3edbce3d4c60322dfcc4cb80b130c064223032dd5cdd470b77b37eb0b37ba2069bb7194f8272fc4fa32

Download Submit
C:\Users\Admin\AppData\Local\TempIKFBC.bat

Filesize
163B

MD5
cdbc095029713df52fc7b5e903e25e76

SHA1
580abf534247c6b10e1b1eadfae96d223a5e0215

SHA256
27bf18e03afe270f06e5812f5905d5b5dbeb43369a21eabc77202ff3aad2852d

SHA512
6c3a65e7bd6e60b586a0bdbb1dd4fc875ad5f65031b850c09058bd6f9ebb4238d3a6301c7fc6f96e6db641f3a4f28e9fea08a57e364640a4881c3ee6c9e8bc8e

Download Submit
C:\Users\Admin\AppData\Local\TempJAACD.bat

Filesize
163B

MD5
a1385b4e2e93520b6f97283d2ff0e721

SHA1
8c751f4be02cebf893781f8b73e897ae0cb57ec1

SHA256
7985a3a2c1a91d38e71eb5fed6812725b3af1ff74ddaeac6868d8b0a505548b9

SHA512
b037f31c60131a6a2ca157d0dd69821327f78865391c9a994385da0e8a970de9517f340f86a516e0adffedb6edb672de88981c08829ec3d9ad424a19d3a19722

Download Submit
C:\Users\Admin\AppData\Local\TempJSOWO.bat

Filesize
163B

MD5
b0db7b0f95e58fb3f219df5a00c15a87

SHA1
e0e8938c85b4e46bbb0540310673f02a64b18fbe

SHA256
9d13398500fccb24e0540bd7b1aecd452e656b6fbc4d5f02b1ac9ae35f27f104

SHA512
b5291a8c6d2486dcb1f971f7aa2b462a03bcaa7c7b6a349fbdd0667cdca2929f39c342b44406a8dc5b7b811fd7b1f3ae8fc885265dc6ccba618f1256af83f091

Download Submit
C:\Users\Admin\AppData\Local\TempKIQCI.bat

Filesize
163B

MD5
ad8b3a75642c6f8653d0e21597ab3e39

SHA1
354ee5e7f33e058e8b7eb0b081a10f9ef329b8c4

SHA256
f21df8487c91bb37e65df344f08e4f6c9f6519f314ab5bfd8cb8631ae1692fa8

SHA512
3fb110d259e7834053f037faacafe7a6de51187ae8969f6975b479b5872608a0e636ef9afc7b94ceed0571fa4e655f25c24db12d1a171366e8a4b01c46008bd0

Download Submit
C:\Users\Admin\AppData\Local\TempKLUQD.bat

Filesize
163B

MD5
6a401fac14448a283b090176a53a6b0a

SHA1
d154a2cb98ece0bbe8a6f2d73a905132a15235a3

SHA256
25b5dfefe526d611b4e691a065a0a720f6ff92ec69dfb886fa4120c3d224818f

SHA512
4c2308e6af81edcce42193761419bf3017336aa6858191b30bc2342128273deb45486b44874813e5182715b6b7e472874db8a4d3a9343ea3dce1c94c98434887

Download Submit
C:\Users\Admin\AppData\Local\TempKTPCO.bat

Filesize
163B

MD5
824bcda855a5c1779b5c35f09764b0f8

SHA1
7a4587cad864334b7bb2447fc3b19bb88ca5814a

SHA256
0952fbbef3fd5cd352854d62d984c43a75e090b2485c4c191dc8c2e857df6b93

SHA512
285edfd0bdfa0b32400c1d0e733284f70899659f8e40321b3bfcd2b1343e7dcd17555ae8aac9af015ce2add12019ec16f9d63c9e066efdbfbf992b25c997c5cc

Download Submit
C:\Users\Admin\AppData\Local\TempKYGUT.bat

Filesize
163B

MD5
cdfe7cbc8bbe2385bdb920d75f48d49e

SHA1
16246fbbca888103a324555f0397452684096ce9

SHA256
1eb52b3933c628982e48440414a25c7655fc786b102e0d4c271bf5cad71da65b

SHA512
8c5c67e9a6257d171af85ca6b2b68e2bdc9e79fafebeac4b78b52dea1639c65166b5420d1bc3e946472bcae6c9f9a889c83e2de902487098edbcfa966e2366db

Download Submit
C:\Users\Admin\AppData\Local\TempLHVUG.bat

Filesize
163B

MD5
a515bc85e1b4f9ba95cb97104cb9e641

SHA1
86c7b6c22a58f81de6ec366578dc0b949ad9b5f5

SHA256
ae49603f7e9ccf92ffb8a7dd10a0c5dc6b657e56770dc40421289cfa4128fcb3

SHA512
0a788e7af48cefc9e7f865826b635318837549e9f68c1d13e24ba4ac29563c36dcd4d397df5bc73026ec57f0655aeb4b2b9740758e1216c2498a0c6898c4dd79

Download Submit
C:\Users\Admin\AppData\Local\TempLNWSF.bat

Filesize
163B

MD5
6de825256c2bbdd9239d39986cffecef

SHA1
340b832a56e6954d443a5776c39ad4b5f015fc64

SHA256
bcacdc9a4f4abc7e873e2fb9829088bc2c6bdec1f0f95c08a30d51fd3b7e2618

SHA512
cdaaeaf69a487aebafc5bab7affb187a2765e4af11e705dcfd7e0eb908de2eadcccc42050733688f53a65f728f16f8a520ac52d88338f0978347cc6cfa556803

Download Submit
C:\Users\Admin\AppData\Local\TempMIQHF.bat

Filesize
163B

MD5
5a25b81aed74b167ea51919cf873d2fc

SHA1
56b2f2e5184300b74b0e947721dd445ab94b5fc1

SHA256
c94980ad5bb0ce23cd44cd7ec3580a7fc7f4104201304ab657e3506921f5c05d

SHA512
a96b1a46f7957df8ea087efaaf0fbb2b6045df6b371cd56e5b4f475e0c0adfbc2c3dfb3d2fc85041202874bc4a58d6e28eb98f8dd08ea2203dc1cda217d3f0b1

Download Submit
C:\Users\Admin\AppData\Local\TempMVREB.bat

Filesize
163B

MD5
0e84f3bcd40232c8eb14e54587f94776

SHA1
e7648e0fc12856e52efec01dedf8cb4eba0c9953

SHA256
ea568b80a63a5b79adc0dc2fee080588c2e7f9747730bc2a2f019671618ce98e

SHA512
7da9c91d583165b2af80ca23f0f398d5a56e10c2a4d07729c36c2a68b260c26e65b4722093bd03a59cb643348b63572aa12827b92e832e1abe290e60f67a6f58

Download Submit
C:\Users\Admin\AppData\Local\TempNLPKS.bat

Filesize
163B

MD5
dbc03ad51b4de1604a0a68a15025ca65

SHA1
091da25146b4e3d63f67768163b317048fd429af

SHA256
c369a59d27e8ad5f6b2e3ebdc05346b56314093edf78d575bdab6140eef11e74

SHA512
9c661727d2d6bc86e5351ce399d75c38003df8dec6159a2508b9ad69e690f3490348524908bccf56646d7dc446cbd86f45e8d271b3fa7468b07a0b96b8ad7c81

Download Submit
C:\Users\Admin\AppData\Local\TempPTOWL.bat

Filesize
163B

MD5
47f07becebd00b0b45a2ccbc5de539d6

SHA1
f90a9290c96ecbbf9ef7a726c6448f66e59da7eb

SHA256
03c5237badc10097eb6687683b3e6530eb645831008f3d6f1be56b1926df5c1c

SHA512
2362b4264f72ead14acdcae310e7b9b8e8e4a50cfd474171a0dd8a206d5496895d46ebf1b39cfe817eb7b0ee13465d1dfad60c78b6a6fc9f985beeb11bef881d

Download Submit
C:\Users\Admin\AppData\Local\TempPTOWL.bat

Filesize
163B

MD5
c7ae422a1713c3ceaf6d55a47a69ced4

SHA1
f7358b78eb996bbc9535a7a5d2f676e0b51cc2dd

SHA256
01930156d66b91739abec3f67c182f3676cbbb394b3a2a1cee02d3655f0940f3

SHA512
3eec101482868ef09f0d1bf0bb961753acdb17222309c39c45f4b03b4c3607e0a15ee0c62167c1e025724683f7b1512cb039524ac7f1c400c26d74132a9a6af3

Download Submit
C:\Users\Admin\AppData\Local\TempPYAUT.bat

Filesize
163B

MD5
b81b242d63ca369b233fa36582c8796c

SHA1
91f2ba28d7ceea60b242fec5770d6faa8beb6358

SHA256
ff4fb56732f34d19d312008f66405600523da51adff0f06c9f86e163234ddb1d

SHA512
acd8f7db05de271fd445b31db9f4c1da515f48a5cbedeb77dcd949b1c986f23ba0452c57872a32a5eb011d59e95ec0ec0f9a21afa65a12a8c711b192875e8671

Download Submit
C:\Users\Admin\AppData\Local\TempTAXXR.bat

Filesize
163B

MD5
91f11b85cb352658e5ebc2c7665be76b

SHA1
b59bc9037631166a83a7134a52faa8ddf56e2ec4

SHA256
f9c879bb4253e6afa5b4e71c220736a3ad98670ad20c1f66197a54a9d219eff5

SHA512
1e2b4ac178358febfac35c2e18778671a487dc507e67f258c79b0a1b25d336028f7c16be26106c01d1c6621da53d3c35dd9a4c84c6e829f9b8479905a72233a5

Download Submit
C:\Users\Admin\AppData\Local\TempTFMQC.bat

Filesize
163B

MD5
cfdfb84e49dfe6847ba1e17c53f35159

SHA1
da77ba105a48ad835fca9989a6af15f572bf5417

SHA256
51357c19a2d9039d8dbf64b780ede97baf3eadce3cc700c89036572f402954ef

SHA512
2c99745c2285234c0aae43c336231b54b3e595be42de1f5673afebf6fb2d9169efa310a372db192d1e9c5db1d5b556e48d7384bff4594e8e86c6ab47858bbbea

Download Submit
C:\Users\Admin\AppData\Local\TempUGMRD.bat

Filesize
163B

MD5
0b969760a7d696d647bc8f4d21dcd34a

SHA1
2d3b78dd5edc4c2d68319f1371f7cc0eff4ed39f

SHA256
a16fffe43bc344e531100fe8f334cc32d458aa7a43beee2028ae8b66990d5a1c

SHA512
e0baf50cedd7711c84aba69533fa9d683fc3e83c7097b671787c0b0982271be4ddb58b1a8a93b7e08bd5ae8e28d036be10b52a4e24cdb6a117a6d7396872e957

Download Submit
C:\Users\Admin\AppData\Local\TempUQQFO.bat

Filesize
163B

MD5
27ff039d38045762254339ac930649c2

SHA1
ff4084040a1a798a39f0e3a3fbdcd2ccf4c4b303

SHA256
c67cf4c7d760f4ada63e9f3c5a9e5c5b65c15221d25ad0d38a19b607d3e6bc0a

SHA512
bb4e2e7847d75d72f61dccbaa24970edf6a4f4a17190b658b95f32eee95481ce8a267da8850decb48de33dfa9690eaad84eb02c9d87ee4be9ca17bbf1be89b67

Download Submit
C:\Users\Admin\AppData\Local\TempXDVUQ.bat

Filesize
163B

MD5
7c6b33b25d35867115c50b05fb15d28c

SHA1
f5f68fa6d475b45caa2b11fdf94f3fb337076a67

SHA256
065d97e5c0a93d56928136cc5a1e1bda166f3bb2d6d15edadafb7defa3897ab2

SHA512
4664b3f2b417375889cd0f404be9f2771a261707e07c782299f90b0efef80cf43e6278a8faec5a69f303b588c0d49d7e9d71ba2b8ef6051c6f258ce735db8b93

Download Submit
C:\Users\Admin\AppData\Local\TempXGHPL.bat

Filesize
163B

MD5
c4b1ff7560335ea213b5c084ceeafb7d

SHA1
68001d0f29b35df3b17ce526574ab516788261f4

SHA256
cc0f5f27ffeb0c7e4f8a30dc9cb3888b0853781de5ef902752a480ffc92c7f7b

SHA512
c6ad7cd636bea37a78660dd8c527db32667cd1efe655bd6b11f10f772a11bce3dbf6e90718a1688cff50201f384bc07c980b046d0b068aa1f40180a4668cecf7

Download Submit
C:\Users\Admin\AppData\Local\TempXXMVI.bat

Filesize
163B

MD5
a9624702f92652a8857b5b1fda35b468

SHA1
dba8956c33ab63c2544c86fcada1e576d798b110

SHA256
0a307fa8706bd033fb4b08413e371b0c4a33948c34abc6dd343d0646b87b52dd

SHA512
9bf6ed6a64f1c8d621fa1e7eddfc8b8d3a14190bfa9d765365fc290635862cb575f0a956460b2161bbec874c511c68c9f108ef90b7794db11b0be38520aba216

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDIW\service.exe

Filesize
520KB

MD5
e4f8db80329285f2d2d32f0e1113c1c0

SHA1
865378448f2f6680734c0e6ec083bee4fc256ebb

SHA256
8032077449e134d477695e1144f6c0c98f2cc1c42eaa05aa332bc2ac01725977

SHA512
d48cab47dbfeb2c27ef4575d23ffea168dac0f86b646e663847e2251db04971a9f9423854057ae18c8610d1d1c472590d166dab3dd3e7a13fcaa7e58c75037b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe

Filesize
520KB

MD5
75342e61f93ec15edd234d155efb2c2e

SHA1
de1ee786d99067b59eae8ed0efa6ac6b8ecbe48f

SHA256
19124f7e76172df9441fcb6339da61ee5e17093a1bd414c663f48d1921af19f6

SHA512
c568effe11469021a534e1b7cd18e902151f62aa80ceac2a624705f80d285c7c76df66e9b4cb7b462adc76ea1951d61351bdd4a4d8c6bbde2798b48a6af077e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe

Filesize
520KB

MD5
976c4567572f65cd8e7b4e7176cf8e93

SHA1
467d5817192e328871887ee60c42c6ee22a06f59

SHA256
6cb938113d306df55499f2183dbfaa5bbe70534ccf418857751a6b2f29f45c82

SHA512
826220b08f7baceb505cdd12aec3ca38fc0c39187e3622f20f7971c5269685285cd3881ea5d3fc503e2e95cfb9cc10320eec809d2c24beed10b84ac8ba9ea813

Download Submit
C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe

Filesize
520KB

MD5
53ac7adff4dd596c6d9519d632ea40e3

SHA1
884e053bcc09031ec62405446f78e4fb2ffe43f3

SHA256
8e86fe9a4508fa2e133c936777d5391f1b238779f32a64c9918178ecaaf48354

SHA512
ac4598fcaed66b2cf6eaefc1086afed715d62dc6b309ca8ddf47b7bd1252d85469f8e09ff4f3b81e13db08dc4a985cb555be38b09656dd2a7e78406dd3d1ba35

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYSGN\service.exe

Filesize
520KB

MD5
bc7347879f5c4dfd3aacc8f2520f142b

SHA1
55f931c1d12ab1d29ccc901b1ccd612fcf56144e

SHA256
3319126bb12aeed67e5db5e5ccb8264da5eba21a91a89d2c1d08d3a4a247fc44

SHA512
1daf20f6082291cd4058dfef136e029a16a59d275c10e980a8132537c3afff5cba27266d5cdd82bad98fd25576ef2781e82a09962398b0b11c902dd144a8059b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UBTDPPQLJQMBPWG\service.exe

Filesize
520KB

MD5
7c74b5482c6eeb112ce8ba00bcb49c50

SHA1
4d7d524441d36467ca70ab212d1af728b58d5251

SHA256
c2eef25cba878c4f8784c9673a32b68f2e9ec235983ce663c43394192a8fee36

SHA512
81cf75f43c1ce3e35b1b9de59fabe962a88b09b6221b529eec9d7cb1343f4be2a50053b8a587d4ea618e0fdc8eeb4fc447d3fc2c3e91dda5b0c4eafbec971b8a

Download Submit
\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe

Filesize
520KB

MD5
df16f369550f078270e1a25da9861be9

SHA1
08fce8b29068937d8edc9774281a641ba167b715

SHA256
1b07059e0a7d91220d327f5a6976a5d7f762b4210c816e91a37ac7f4e5ecf6cb

SHA512
621153445afd3a850f80a10187adae619fc8972b1bdda96bfa4743ae46217fe11d50e77e2706a61261e890811b90fb3fba1814c4b1a16c436f5473053000a3f6

Download Submit
\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDYSGN\service.exe

Filesize
520KB

MD5
b3c5f194b6656d6f6b5b019af99627f8

SHA1
71bdae6acedc355c3e58fa7f09a00ca20890d3b9

SHA256
2a481fa101fa814b3ec53c2b0fc5618631c96134640722bd02b9d3648ed2f055

SHA512
f206793849d6431ff0218a37d27b6d95902f4213e6f25cffc128f300c2ed67b74969f1e5c7c3f81a22702886bbcbb54ddd97404f5b44f3c64944234fd63f4674

Download Submit
\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe

Filesize
520KB

MD5
45b7ed69cd60b4298a55786014141cdc

SHA1
f90d728269bd7e2388ea41e9327d808af8e4913f

SHA256
e29eb6ba95f7849f0f3c4fa02f5d437f9fa90bda46d67bd210116783d3a6efa8

SHA512
b156a5970c2875ee6771ae1c4efa5407bfc5ad386561e72eae9a068710ef9c232152a0bce9592322a3e739f537e2d9c7db79c553979c41fb9ce248fc1e2e6f8b

Download Submit
\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe

Filesize
520KB

MD5
1f97aa8d3d5fe106f0d7dd31e8cd2fe4

SHA1
e754928af813d4e1d49390b441b78ab36e26627c

SHA256
8d049cac5a0d621d544ec5d2ef6dbaa38212b80ae847b1345a8434047a7417f0

SHA512
4e176fb5a0bcf561d551a5928f9b603aeec1c78b5a6a4835be30d3cf59e4871a5a05cb86a920d306ad933918b956930b9ba423f16f9544c1adf3670f18b86989

Download Submit
\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe

Filesize
520KB

MD5
06f1492be5e4a187060499d357be6fdc

SHA1
20baaf907eae0fb2c5dd930990c99d29dfd823d3

SHA256
4676032e6d7499cd72baa287b68ae0e60b49a7ff841cd6379e3661e7aec221e4

SHA512
e9ee92cb40718b9b628bf4b7c36ded0502dd5df9a9c8bec00a9085a7f8fc89f8bcd974ba0e91c172099ee2f58f21a4e1e88087dcfe84b7732353999fb0d7186c

Download Submit
\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe

Filesize
520KB

MD5
3af3591825e007eca0c58632e605be28

SHA1
5eaf6fcdeef29f383d61bd214ca8fc8e213b5bfa

SHA256
4e324cc5e1811684c1fd5acf8fd462f2d0205877177b35afd92c2a478aa1b1e7

SHA512
9467ca8e0695d7ac68ab0cfb6da5d827fa54b72a9f430a2d727293bf738dc0822364ba3f8a1343e0371a7be9401ac184ae1d75e7623774c6c08795edc6cf916f

Download Submit
\Users\Admin\AppData\Local\Temp\XPJCHOXAAOTLTHR\service.exe

Filesize
520KB

MD5
60e9f26d8a5974c8825cc2e71498fd31

SHA1
e22e77280bece8bae651234742713c2147ba3752

SHA256
48d1454b5d5b81e7d9574a7aa28d893a2c155800b1ee0264c344118fa3f49529

SHA512
6bd8cd72df0a9e40954b1ebaee58aff3a50538327eaae6a27cad39c97f436d68e188aad706d0d5390a6daaa56aaa68318a84f10e5d7694136f792faec72b8fb7

Download Submit
memory/2004-810-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2004-815-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2004-816-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2004-818-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2004-819-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2004-820-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2004-822-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2004-823-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2004-826-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2004-827-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads