blackshades | b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10/03/2025, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
Size

520KB
MD5

9ad804a81fe08950e54547454d6bee4e
SHA1

a10ef9d0f0c53035435c8fa5af655cd7969bd4fd
SHA256

b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e
SHA512

ee54de0bf577925e3103630dfb27a727d2c872f5c1ae1fbe489192d9ce55afc5632fd766f60d7555f2dc7e5a0f45d07b6653cf8ccdce599cd514a4b961f5d0ce
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXm:zW6ncoyqOp6IsTl/mXm

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 9 IoCs

resource	yara_rule
behavioral1/memory/2348-618-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2348-623-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2348-624-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2348-626-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2348-627-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2348-628-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2348-630-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2348-631-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2348-636-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDEBKCHW\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLVDXNSXDEBKCHW\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 24 IoCs

pid	Process
2220	service.exe
2776	service.exe
2308	service.exe
2316	service.exe
2584	service.exe
1048	service.exe
836	service.exe
964	service.exe
2256	service.exe
824	service.exe
2560	service.exe
744	service.exe
1192	service.exe
2736	service.exe
2184	service.exe
684	service.exe
868	service.exe
2360	service.exe
2180	service.exe
2300	service.exe
1668	service.exe
1932	service.exe
1328	service.exe
2348	service.exe

Loads dropped DLL 47 IoCs

pid	Process
1384	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
1384	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
2220	service.exe
2220	service.exe
2776	service.exe
2776	service.exe
2308	service.exe
2308	service.exe
2316	service.exe
2316	service.exe
2584	service.exe
2584	service.exe
1048	service.exe
1048	service.exe
836	service.exe
836	service.exe
964	service.exe
964	service.exe
2256	service.exe
2256	service.exe
824	service.exe
824	service.exe
2560	service.exe
2560	service.exe
744	service.exe
744	service.exe
1192	service.exe
1192	service.exe
2736	service.exe
2736	service.exe
2184	service.exe
2184	service.exe
684	service.exe
684	service.exe
868	service.exe
868	service.exe
2360	service.exe
2360	service.exe
2180	service.exe
2180	service.exe
2300	service.exe
2300	service.exe
1668	service.exe
1668	service.exe
1932	service.exe
1932	service.exe
1328	service.exe

Adds Run key to start application 2 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFDHCKVWSQSIVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGBAPQOWIO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\RUFKPCOWOBCXTOC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHDYSGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYXBOESOMRDRTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCVTCVLBGPGFQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\SXTHTEDHYVWJOVW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQQRMKRNCQXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VLMJREKPACFRSNL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IKWWAXSRXTJWENE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DIWVHQHRNIYRCSC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NFVEMBABWCSNAIC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MIJURPTOVKLDKLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFFGBGCXSFMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLGPYWHDOHIYRUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASKQXIJCWBDUQQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLYFOYWGCNHHYRU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIJCWADTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JPUGEIDKWAXSRAT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEKBSJIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\AGLCNOKIKANVEPU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTQKFAFUVSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CEYAUPDKFJXGSYO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUTVHLQDBPXP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\TPDQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQBYNMNJHOJMUDO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VJKGEGWJRALQBNY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLVDXNSXDEBKCHW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XLMHFIYLSBNSCOA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DNWEBPTYFGDMEJX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNVNBCWTOBXIYDI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHGIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JIVCLVSDXKDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHMTFFTYAQYMWN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\TYUIUGEIWXAKPWX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRRSNLSODRYI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\LTHSIEDQGUQOTFS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIXHPDCEYEAUPDK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\TPDQBYEWVRSFLSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQAYMMNIGNJMTDO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUCDOVLJNIQEFYW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAAVBRMHBGV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\LKXEOXVFCMGHXQT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKQHYPDOE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\BQYPDEAAVQDLFKY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDSXQGQKILXAYGU\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2584	reg.exe
1860	reg.exe
316	reg.exe
2344	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2348	service.exe
Token: SeCreateTokenPrivilege	2348	service.exe
Token: SeAssignPrimaryTokenPrivilege	2348	service.exe
Token: SeLockMemoryPrivilege	2348	service.exe
Token: SeIncreaseQuotaPrivilege	2348	service.exe
Token: SeMachineAccountPrivilege	2348	service.exe
Token: SeTcbPrivilege	2348	service.exe
Token: SeSecurityPrivilege	2348	service.exe
Token: SeTakeOwnershipPrivilege	2348	service.exe
Token: SeLoadDriverPrivilege	2348	service.exe
Token: SeSystemProfilePrivilege	2348	service.exe
Token: SeSystemtimePrivilege	2348	service.exe
Token: SeProfSingleProcessPrivilege	2348	service.exe
Token: SeIncBasePriorityPrivilege	2348	service.exe
Token: SeCreatePagefilePrivilege	2348	service.exe
Token: SeCreatePermanentPrivilege	2348	service.exe
Token: SeBackupPrivilege	2348	service.exe
Token: SeRestorePrivilege	2348	service.exe
Token: SeShutdownPrivilege	2348	service.exe
Token: SeDebugPrivilege	2348	service.exe
Token: SeAuditPrivilege	2348	service.exe
Token: SeSystemEnvironmentPrivilege	2348	service.exe
Token: SeChangeNotifyPrivilege	2348	service.exe
Token: SeRemoteShutdownPrivilege	2348	service.exe
Token: SeUndockPrivilege	2348	service.exe
Token: SeSyncAgentPrivilege	2348	service.exe
Token: SeEnableDelegationPrivilege	2348	service.exe
Token: SeManageVolumePrivilege	2348	service.exe
Token: SeImpersonatePrivilege	2348	service.exe
Token: SeCreateGlobalPrivilege	2348	service.exe
Token: 31	2348	service.exe
Token: 32	2348	service.exe
Token: 33	2348	service.exe
Token: 34	2348	service.exe
Token: 35	2348	service.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
1384	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
2220	service.exe
2776	service.exe
2308	service.exe
2316	service.exe
2584	service.exe
1048	service.exe
836	service.exe
964	service.exe
2256	service.exe
824	service.exe
2560	service.exe
744	service.exe
1192	service.exe
2736	service.exe
2184	service.exe
684	service.exe
868	service.exe
2360	service.exe
2180	service.exe
2300	service.exe
1668	service.exe
1932	service.exe
1328	service.exe
2348	service.exe
2348	service.exe
2348	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 2196	1384	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	31
PID 1384 wrote to memory of 2196	1384	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	31
PID 1384 wrote to memory of 2196	1384	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	31
PID 1384 wrote to memory of 2196	1384	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	31
PID 2196 wrote to memory of 2408	2196	cmd.exe	33
PID 2196 wrote to memory of 2408	2196	cmd.exe	33
PID 2196 wrote to memory of 2408	2196	cmd.exe	33
PID 2196 wrote to memory of 2408	2196	cmd.exe	33
PID 1384 wrote to memory of 2220	1384	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	34
PID 1384 wrote to memory of 2220	1384	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	34
PID 1384 wrote to memory of 2220	1384	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	34
PID 1384 wrote to memory of 2220	1384	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	34
PID 2220 wrote to memory of 824	2220	service.exe	35
PID 2220 wrote to memory of 824	2220	service.exe	35
PID 2220 wrote to memory of 824	2220	service.exe	35
PID 2220 wrote to memory of 824	2220	service.exe	35
PID 824 wrote to memory of 2760	824	cmd.exe	37
PID 824 wrote to memory of 2760	824	cmd.exe	37
PID 824 wrote to memory of 2760	824	cmd.exe	37
PID 824 wrote to memory of 2760	824	cmd.exe	37
PID 2220 wrote to memory of 2776	2220	service.exe	38
PID 2220 wrote to memory of 2776	2220	service.exe	38
PID 2220 wrote to memory of 2776	2220	service.exe	38
PID 2220 wrote to memory of 2776	2220	service.exe	38
PID 2776 wrote to memory of 2540	2776	service.exe	39
PID 2776 wrote to memory of 2540	2776	service.exe	39
PID 2776 wrote to memory of 2540	2776	service.exe	39
PID 2776 wrote to memory of 2540	2776	service.exe	39
PID 2540 wrote to memory of 2944	2540	cmd.exe	41
PID 2540 wrote to memory of 2944	2540	cmd.exe	41
PID 2540 wrote to memory of 2944	2540	cmd.exe	41
PID 2540 wrote to memory of 2944	2540	cmd.exe	41
PID 2776 wrote to memory of 2308	2776	service.exe	42
PID 2776 wrote to memory of 2308	2776	service.exe	42
PID 2776 wrote to memory of 2308	2776	service.exe	42
PID 2776 wrote to memory of 2308	2776	service.exe	42
PID 2308 wrote to memory of 1680	2308	service.exe	43
PID 2308 wrote to memory of 1680	2308	service.exe	43
PID 2308 wrote to memory of 1680	2308	service.exe	43
PID 2308 wrote to memory of 1680	2308	service.exe	43
PID 1680 wrote to memory of 1388	1680	cmd.exe	45
PID 1680 wrote to memory of 1388	1680	cmd.exe	45
PID 1680 wrote to memory of 1388	1680	cmd.exe	45
PID 1680 wrote to memory of 1388	1680	cmd.exe	45
PID 2308 wrote to memory of 2316	2308	service.exe	46
PID 2308 wrote to memory of 2316	2308	service.exe	46
PID 2308 wrote to memory of 2316	2308	service.exe	46
PID 2308 wrote to memory of 2316	2308	service.exe	46
PID 2316 wrote to memory of 2556	2316	service.exe	47
PID 2316 wrote to memory of 2556	2316	service.exe	47
PID 2316 wrote to memory of 2556	2316	service.exe	47
PID 2316 wrote to memory of 2556	2316	service.exe	47
PID 2556 wrote to memory of 1736	2556	cmd.exe	49
PID 2556 wrote to memory of 1736	2556	cmd.exe	49
PID 2556 wrote to memory of 1736	2556	cmd.exe	49
PID 2556 wrote to memory of 1736	2556	cmd.exe	49
PID 2316 wrote to memory of 2584	2316	service.exe	50
PID 2316 wrote to memory of 2584	2316	service.exe	50
PID 2316 wrote to memory of 2584	2316	service.exe	50
PID 2316 wrote to memory of 2584	2316	service.exe	50
PID 2584 wrote to memory of 1108	2584	service.exe	51
PID 2584 wrote to memory of 1108	2584	service.exe	51
PID 2584 wrote to memory of 1108	2584	service.exe	51
PID 2584 wrote to memory of 1108	2584	service.exe	51

C:\Users\Admin\AppData\Local\Temp\b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
"C:\Users\Admin\AppData\Local\Temp\b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempXJYDI.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RUFKPCOWOBCXTOC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDYSGN\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2408
- C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDYSGN\service.exe
  "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDYSGN\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempRSXDE.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JIVCLVSDXKDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2760
- - C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe
    "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempIACQM.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIUGEIWXAKPWX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe
      "C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXCUUQ.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XLMHFIYLSBNSCOA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1388
    - - C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVQJMN.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LTHSIEDQGUQOTFS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEAUPDK\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1736
      - C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEAUPDK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEAUPDK\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKLUQE.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOESOMRDRTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHBPYK.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXTHTEDHYVWJOVW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLGPYWHDOHIYRUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHIFN.bat" "
        10⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNHHYRU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempODRYH.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VLMJREKPACFRSNL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDWWLU.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBYEWVRSFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQAYMMNIGNJMTDO\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\RQAYMMNIGNJMTDO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RQAYMMNIGNJMTDO\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRSPYK.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIWVHQHRNIYRCSC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFFYOJ.bat" "
        14⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUCDOVLJNIQEFYW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUGHEN.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LKXEOXVFCMGHXQT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJWENE.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JPUGEIDKWAXSRAT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFRCBF.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AGLCNOKIKANVEPU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAFUVSB\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAFUVSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAFUVSB\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMQLTI.bat" "
        18⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CEYAUPDKFJXGSYO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXYVEQ.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNVNBCWTOBXIYDI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHSPNR.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BQYPDEAAVQDLFKY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXAYGU\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXAYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXAYGU\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSDXWL.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPYPEN.bat" "
        22⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIJURPTOVKLDKLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDXBNK.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVWSQSIVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQOWIO\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQOWIO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQOWIO\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVBTXS.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VJKGEGWJRALQBNY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDEBKCHW\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDEBKCHW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDEBKCHW\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDEBKCHW\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDEBKCHW\service.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        26⤵
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        27⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDEBKCHW\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDEBKCHW\service.exe:*:Enabled:Windows Messanger" /f
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDEBKCHW\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDEBKCHW\service.exe:*:Enabled:Windows Messanger" /f
        27⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        27⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        27⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempDWWLU.bat

Filesize
163B

MD5
5173f087c79d96c19c0b3c179d070d52

SHA1
c75236909f9401a0b974abe7ba97af86ea5b68f6

SHA256
5e40da6ed8954741e011fc6bbeb8c1ede726e596f915abcd773375198ccaae5e

SHA512
c996d44fbc155a9c4033ef0f8981c63b838ebbd9123a3a958b5e4053b65e8c9e3842be0356e179be2b1608533477c0c2931d8803bda82244213f1c23ead085f1

Download Submit
C:\Users\Admin\AppData\Local\TempDXBNK.bat

Filesize
163B

MD5
52c6f0a334f196e2d35bb2b75311aeed

SHA1
ebb3ef129d053153da545b1206024e91ef3a55c9

SHA256
330c7a65496b53e96367e491d0fff9e160643e85bda816381ee2e16cdcd19b3e

SHA512
2e4a8fa85c8eae8e4c3df02054fe7687cc68da35859fb80b9ac9b8257cc93dfe22a7969ab64ac7cc89a71a7c6c22a9914ebb021b9d4df58aa5e389c6fbbcd10a

Download Submit
C:\Users\Admin\AppData\Local\TempFFYOJ.bat

Filesize
163B

MD5
f3719e263529fa662715cdd85fec8596

SHA1
6148a2364029aa9781f6f2d6143ad2b060483be5

SHA256
ee5e309ba64eb2c3b5f807c6b026a982ffee23b8bc50a9e3184b80e04275c9fc

SHA512
749de53bc273ea7004970b838725bf7c612d34254ed1ab6d5af5bb83518865a34ab97cb0a47a9804b60ba8a18c0fcdddc19f8e679f940ea04a2c72b747dc609f

Download Submit
C:\Users\Admin\AppData\Local\TempFRCBF.bat

Filesize
163B

MD5
a65242fedd2d7e94156f8fda61eff333

SHA1
721788f34cd5a82d1f0375a8c841db4e37929d85

SHA256
db47bd0a9db98a63487803bd687fd28d1217cb4048b6311fc9ef5a5db1fa47c8

SHA512
084957268e45e0d7fc950309f4386229c1a1f2359a9a38e868f73c1266547a895a52993675c2a7f6279cb6316f1edd56270f6fd38ef35571173b9b7b15de27e3

Download Submit
C:\Users\Admin\AppData\Local\TempHBPYK.bat

Filesize
163B

MD5
e5416735d419202f0b2b4cc0ef9130d3

SHA1
e661248c8cd24ab4e7ddd3bd533182bb1cd36890

SHA256
15d16777edaff03d475262cee4b6249011d8ac1e3f3c767f76b3ef2cde8bb7fb

SHA512
3cef4730d169459837e7cf5b0d20b9db4461ddded462000487a18e2d9553c94e1c5114c9c990ec07a4750b4feb0ad7b723dfb052a695cf2562861dbf18401349

Download Submit
C:\Users\Admin\AppData\Local\TempHIFOA.bat

Filesize
163B

MD5
0ad59275a022c5e20e87ee3b1a5005a0

SHA1
3f71e6923ba2404a0aa4c59827701abfa89af383

SHA256
dc2f20de3ae28bf281fb113fb03b1e76b81bd7addf0f5f76be20cfff0e3d419e

SHA512
175201b62f9302dec4f9a597f0bd94209ce1bc41fb6c694cab3edd53459aac5ec0d411a2a1ac9fb7df4e252cc5971e11906592264d2ca7a2c0cc60367dff1b08

Download Submit
C:\Users\Admin\AppData\Local\TempHSPNR.bat

Filesize
163B

MD5
1204e39d77d02574aa0f12330f5a223d

SHA1
9ea88731bc46c0198db2c962c5998b93e2fd3e26

SHA256
f557f0b058a9c965a1c72e470971277b6b4a826833f628e056839edf84c608ee

SHA512
384ef77a7b07d00458ed6f96ce998da03f6f573ab17537849d6e75c1b8a3f1fe4ccc1e9c8c02b6240ad158ef2f4b149ce7a82ff435eb4e5523e37a0eab49fa1a

Download Submit
C:\Users\Admin\AppData\Local\TempIACQM.bat

Filesize
163B

MD5
9ada90bf0bc5e99469d1aad0a1ff8ff8

SHA1
7747b7419404205d7d16f3660a687b491fca270b

SHA256
5b0b19aa16803901c65e8bbd153351f98b80ee997176e72db239b440a018a307

SHA512
253793a2b45c97b656fb530c7447e9bc52d0ba791cc9a24aa455b83cc2107182f2f5b8fe449ffce3d761025166dcafb0ca0b19130aaa716e1da13a41fa119767

Download Submit
C:\Users\Admin\AppData\Local\TempJWENE.bat

Filesize
163B

MD5
22fda8ee63d55b16f5f9cddcb752114f

SHA1
296e39840af80959b7de271fe8c3c98e31e7f908

SHA256
638dac89740d47d8ec218df7404ff4b40bfe5806b5b427ce218aa007f279094c

SHA512
3d5be819e2c22bc00dfd6e2bc132c948c81af86298a678bb60fc999fa9bc260d9d513a2f10e51585c1dd503b4ad859dceb0d1945e8dc8014bf56958c8816442a

Download Submit
C:\Users\Admin\AppData\Local\TempKLUQE.bat

Filesize
163B

MD5
2c52dfaf0450ed45eb8a7231ecc5242e

SHA1
c9bdc65dadd37fd27cd1768f3ba797a630981d78

SHA256
b7af0e48d9edcb58881f2dceec18a22f1123ba5e9a7765339c6713cbe9c29922

SHA512
09a91f39bb0c748a11a214742579b94d7a33248443fa3011e4835b756842fd6682c1c2c901219ed3de2ab4d49045517be252c8d804caf5a050e993608c04d73d

Download Submit
C:\Users\Admin\AppData\Local\TempMQLTI.bat

Filesize
163B

MD5
c967c8ea99e05e8999eb24f8900c403a

SHA1
425c514762d44b2e13a5b032af100bb3b2abf181

SHA256
34bd7ade901cc3817d6259f6369d06d2f2d1fcb9dcaa610dcf95f78eb4e9845d

SHA512
45de03c260c349572117695db8dc15f5535ee530874907af73ea5309e490092d3dad1b4656fd618ef346bfeadbe4da287eae7eff4e7eb656269ed0c48c98c61f

Download Submit
C:\Users\Admin\AppData\Local\TempODRYH.bat

Filesize
163B

MD5
6f3cfaf608241c45fdb1078277ed52e7

SHA1
6a6f7775ba007331b68d44eb280f8bed0ccb1e8a

SHA256
0ddcc05967a4742299beab0a202f8c96724224c549eee9352880f122c4c96181

SHA512
aa39c23e3e28fe396a339a09c7035054aa89f814448a77a5694ef8140efebb70d62cdd75bf9959f17cc981d354065b737af2b2d625bec41eeacf2b155d08a21a

Download Submit
C:\Users\Admin\AppData\Local\TempPYPEN.bat

Filesize
163B

MD5
89e522433b731c85139482d45f788ec2

SHA1
a7c7a82cc9f450613d5574eb9516b8bfb3468c7d

SHA256
b813aea977c0e97dac7254217395f1e7c8fc3496a4c024320c9ed30d6ad5ce5f

SHA512
4a8d39ee33e7d49146e2747bd2d432fd45bec1678e4c8cbd97a86bd5f27f3c71dfae1df8c94e801e8a1b14425d91e8b94965302c786e9443a1378e54835f3e52

Download Submit
C:\Users\Admin\AppData\Local\TempRSPYK.bat

Filesize
163B

MD5
24846376ee8873ad6e1eb633fcff152a

SHA1
423e624e1185f75083bfb524066b9269b42338d5

SHA256
41b2c850eed1bda4802562ce2c4543e1ebf3a6d552026075208de8a95f1c4467

SHA512
ac7364de7ac08a77497d34c0c6a0de7bca4a321e913b3901e1b6afc6b8f07e01330096d27df2c81ceec72600cec8cefcc9390e49cf37eaa230255fc18e5b7b3d

Download Submit
C:\Users\Admin\AppData\Local\TempRSXDE.bat

Filesize
163B

MD5
5ee2dcdf707f3358fd165faf4f5bb8d3

SHA1
44f23abf92a6e5d40ec77a6a1ef55d0434264653

SHA256
cc43868528bc2262f64776caa400f4b756b4fb39c288fa8fe8088a18f0a2e36d

SHA512
646ea55b4cd90b5673f3b1a865b87df1555876fc0de7f446b8ff10d11b8b85eff789c3562bf13f155d8e6799602f796350456eb54f8e45750ffed7a18708a97b

Download Submit
C:\Users\Admin\AppData\Local\TempSDXWL.bat

Filesize
163B

MD5
f041eccce7f551790b2c0f141c2371ba

SHA1
180afe3a0774c0ed883589e5976d5fbaf2c281e0

SHA256
a05bd12817a17601f3763fbbb889159320bbd652b56ef34bb1f6105193903d42

SHA512
dbd390f540aaf5124445511d977a49889dc010c9715bf89fea123840304de65da6c0da5804ea5312635bd35c6962110abcb0e19d2e5bc8a773cf8d0d6420acc8

Download Submit
C:\Users\Admin\AppData\Local\TempUGHEN.bat

Filesize
163B

MD5
771a0d697e8d2daf76b5fcaeda95e869

SHA1
c935556bb99880967d7d32477ec39bfa8ea1fe78

SHA256
f64146df60407c9c4acca8467db24c82df7848197178bbd42420724fadd8fa51

SHA512
6c4671b23fdd31bb1d0b0bfcd6d622cdec8bebee3050b2fe72c93a352789f82f81dab4ae561f137ee8e64968295f02acbce80cc5725a088b786b508709367900

Download Submit
C:\Users\Admin\AppData\Local\TempVBTXS.bat

Filesize
163B

MD5
058f7dd3ee141f3862b24a51e8f13db2

SHA1
bec03c56bce6498f30f4b3b3e197a01376d52fbf

SHA256
09edcb1f7979d1d6c26d8f9b26a9a742cfe3726e750ddb24231502a77bbe115b

SHA512
8cf9fddeca51e64de16571f7c26e356353dc675554de3ffb38b2593d5b2abfdf6f769a5a0ee3dabd3e883d99bacb0beb9a6b33b69022ed2a409f7b77fcb7fa7d

Download Submit
C:\Users\Admin\AppData\Local\TempVHIFN.bat

Filesize
163B

MD5
89af95d54300d855778a9db399ad7828

SHA1
a79d394b7ef43509f01b94e27a7314b9d717b646

SHA256
86e20b73f0d2b6572ac976d75099830ea72e1fad0291055c3fc8525962f4aa37

SHA512
b7bc1a7b032ad8f3be687ea5b3fcbe47f324aff313db69bbdb63d2ad786685aae2749b967546de968bba4982e65580cf4bb3f4bd3db7e89e0264512a641e0c5c

Download Submit
C:\Users\Admin\AppData\Local\TempVQJMN.bat

Filesize
163B

MD5
635c1376d293692841098eae0bc46589

SHA1
f009fb2303e164f101b8e33a6c72f5e73b898b4c

SHA256
c820862a2f940c91481b38357f307a4369361951f9f6ed619b93d88983c2813f

SHA512
946ebe3b44111f60ceccdbb6e8fa441bc07355c36e3087dfc0435b18be6da2c03ea6422b9b6261028783b3465f022dd09f219114780c0d694f7a4ff5e3b1e091

Download Submit
C:\Users\Admin\AppData\Local\TempXCUUQ.bat

Filesize
163B

MD5
10ef7664e53a773abafeea04ace74ee6

SHA1
06626c1e0f7a16d3b5bf806d99c90a069af7ec32

SHA256
b043858bb83a29c17c104f696c5afb73ce4b6db7b11876e09bbc63d86eeda8f8

SHA512
8822656bedd7a178046df4f030369c5242c42b4cbb36c1e91692f4cd6d85cbd488982d5376c46b03dcd7674ca13c2c54e00e9393a04dcb10e4e222fa80c6462c

Download Submit
C:\Users\Admin\AppData\Local\TempXJYDI.bat

Filesize
163B

MD5
7129e58559d8fd0d1a9e5e3123e7a24d

SHA1
750e1f85abc2626c529aaa0c6ed9d61803e32cac

SHA256
7cfbdbdfab6267049206e67e9d4515a26a258814a04d0583810ceaff4565d4b0

SHA512
98d7d0fc58d789c48790fd6c6c9776c275cc92fd98736055c1bcbaa25cbfb722830a5f02db1872b52c0e625ad8c3c7223fa3dcdb0f22d28b700d88dee71f4bda

Download Submit
C:\Users\Admin\AppData\Local\TempXYVEQ.bat

Filesize
163B

MD5
df18bea0faf6ad062ccca53711b79526

SHA1
4992fff353e6091a1e3bdbef0ff80b90ca77acfd

SHA256
86571cac6db511373763bb5c0ccda5902b282852cd68c1c1764439f7d630d5d5

SHA512
51c3da9c641ae15e45e52ab009ef831791e405a96d298d7ce7e178ea2cd7802910a60998fec69eaa470e41479a219a31fe53ff3cf095f74c7d06e7219a2d02ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDYSGN\service.exe

Filesize
520KB

MD5
8f5b85e012875e0f4e2584a8d41a7afc

SHA1
1c4708fb21fa0968d9351d9f8d22c2ff719cf81d

SHA256
f4aa22d99ff987a1313af52886438f3e3d803ccbdb53065d5852f56e25d28728

SHA512
ff6cbdb72a633fe72990be4d38f2d370aec3b6ced068eaab822f36d9e9927ae3f078a4a67b38227bd48bce79950bc4c63c91be56ae09ce4ac86ba39880e67f03

Download Submit
\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe

Filesize
520KB

MD5
a42ce16e73948532981b839f4da0c580

SHA1
1f542555f7956455878248bf43f338050f3bde61

SHA256
48cd95991497f0f5ab5a8d8e8af1dc4ce2e2670c5ceafaddf2465e78e335300c

SHA512
c797dff7568e768f3e06a1c215a6000c897c692ce613939e73489635eb55721e99c90dd5582061fed958b4ea24dda78dc13938abd2e1d2b70933127f4ad79cab

Download Submit
\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe

Filesize
520KB

MD5
a87f4adcf3df4d4c83befad1737fd266

SHA1
10f0c04ab918e9abbd379c9f0a85bf021829d56b

SHA256
7c6aac58ac4c49d7a109669fedc69689a8a2b232c4b3ecb94d46ff037559deaf

SHA512
2e9d1446327941470781dfbb4f9992aaa2a5834308b9462584fe25118a11a87a030f1a39ba28206f4dd2ac65cf43a602f76254c7d7bb0a31f8b21144cc1b5507

Download Submit
\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe

Filesize
520KB

MD5
a81235d2027436f599e12f3dcbc80888

SHA1
75042e4ae20ce3d8da834e2b1a94ca6c28b3454f

SHA256
81d15fccab450176c4e65858a58e745cdfb17ad324e4879b330343217d6fd82d

SHA512
e68c394892923b5a60cab1673185020f9e91b5294c921bdfc71d9a7632e8c5c09f86d6145c0aadb90e288dfa3440820b74cd6f22d6956289b19e1e2592e0e721

Download Submit
\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe

Filesize
520KB

MD5
74edf8be54d504f5c5b95ce1c1466dd7

SHA1
88f731fa3e51808e29d10b09a0496eeb5ef5482a

SHA256
5f8109a87a0067e4b5be9f2a7ae420fc7d9a64daa2fa2c075054519761eb210d

SHA512
e70abb4a4a19982fd04317171c000f11746568d6488896de5438e78eea54b7a16603b01cc5e2182447fc6a9abc5126d83ff4c5280a7f811cf778f3137693ccb0

Download Submit
\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe

Filesize
520KB

MD5
c5cf6e09c78db5ac45597bac042f337f

SHA1
d88e33655e71a5d10df9a427f925c3a4e2ec1e69

SHA256
cd95b4f3246b764a8d37b316afff43d44c9a11f5839f42f7554c6c5172ca4203

SHA512
5e83449cabe51a3f55a10ec0606330079fee2484f13cdb71391990fba5ce936bbbfc2ebc93c3c88596486c2c112362f83a19ad029b142ce835115eedd51ed838

Download Submit
\Users\Admin\AppData\Local\Temp\PIXHPDCEYEAUPDK\service.exe

Filesize
520KB

MD5
0a1e3a2b42bd870da5c4d91932c0517a

SHA1
c6fa9c4af957a6e8fca2857e922a5d6128b26a92

SHA256
846978aa0b34eb1be66258cf787b0fd11f7b9a3d391370dbb573a3e92275c050

SHA512
a8d029f731acbcf48db3bbef6d540444418447f6894ed77c5c24a404f46d29924b86c8f9377a602f5cad8d543937b32f796b2adc71f2b7d7c2f76940c55531a8

Download Submit
\Users\Admin\AppData\Local\Temp\RQAYMMNIGNJMTDO\service.exe

Filesize
520KB

MD5
ef77e864edb59619089194b07b0a565c

SHA1
4b0712195f2b9cfedc79f3c653726edc4bad2b24

SHA256
54b76bfe9778bc01170aa20b22f85c526e031ec3b1e47bb611427ae4282cdd22

SHA512
a54a2fe2e0df1c0808449246baf2e17e069e5c7e77a4e3cefe11b22fe8ed913501010adfe96be38b2402dbadea51be2814ee4f93f34c3dfa91f31e6da8c95a2f

Download Submit
\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe

Filesize
520KB

MD5
0da7c9656c2f26482246493660ba640c

SHA1
5cb949f554ac0c98ac4fd833221db04f42a8d85d

SHA256
8761b11a6d8d2625dd4105bebff3a19d6a4a8d3d9e7a978735c87da4233950f0

SHA512
381b64538aa068e2bde50af21dc0e3cfb110c05f7d992e915363ca0067da5605a3bf6207f2264b1af968c43ecd139a6577623558240b6a32f625408fc09c0c7c

Download Submit
\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe

Filesize
520KB

MD5
f488bb43d0e0c0586430b092c566a1b4

SHA1
5630e452a49b13c6c09b2444c209ef77895d7f0d

SHA256
9e9a5d02e75ced12e57ce830473e9df01223601fdc494fe41b7fbe2a8811ab24

SHA512
13e9835d7328f37cf64e2fa1d6d0b0e26b3a26007951bbf119b75bc062d5daa74f83eea01379e78be65e5449402cdbefa461815866bd0fc86ac5fcae56a3ff2e

Download Submit
\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe

Filesize
520KB

MD5
9e0bbcfb6d085602b0502500044efa0f

SHA1
5853806ea4734be20cfe527ad76c1b476ec68d4b

SHA256
9ef3003e82d5e7b4b01f5355a8f6676e88d8d07d8f3ca2f77ee732924f12d690

SHA512
0533d235e89a68dd160eb859e8e2e0a49c5e92e09e393f5e355ff00a52804e59307b0e7814a87c88f6fca173b203f86863119298f9e17510b47146f9a1cd3edc

Download Submit
\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe

Filesize
520KB

MD5
a769f24028114c0f9b86983f46edfdf0

SHA1
a0c9420b6cbe2c61a4c114c979c8d16511a18258

SHA256
6dbad8ba652d929a4bd4a00f9fb0b2480bd147d6f921dce4af334c50292463fd

SHA512
f81f9d3c4e1cffff5e737aba6aa36fea56ab16d9517a6fbc0624fb30b5b343c3203184c6ad0f9ab4768376466a6c95cfeb4fb66ffbdcb7381bf9b2d504268693

Download Submit
\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe

Filesize
520KB

MD5
5841b68eabcee2db9928225e6e86f12a

SHA1
4ba6bd055394468d1a526b57e1acd72e2827f405

SHA256
852f254c6b97b2208d2eb901d66879309713479933d84896cb8b2d7b2148ccd5

SHA512
eab9ec1d108fc972570be46dd402a3afbf95922ca62aab8bbd1c5122d3e6ed63d209199c3bee8de23974ceb15c2c00075eef2a2fa176d5e11e30ed968e404e76

Download Submit
memory/2348-618-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2348-623-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2348-624-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2348-626-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2348-627-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2348-628-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2348-630-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2348-631-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2348-636-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads