blackshades | 0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/03/2025, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe
Size

520KB
MD5

8dd7367d4f6217d792a9f5ad0fb3b64b
SHA1

2c18e3bce4620eabbf9f4f233c8fc0f16863e5f0
SHA256

0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd
SHA512

1ef67766e26d8ac0ca693e09ccb8ccc021f0f1b6934f13f875e9c7e73e7f7b6f898b99b62edd54272c42070af63565685997a03c6f738d7968e121b626906712
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXp:zW6ncoyqOp6IsTl/mXp

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 13 IoCs

resource	yara_rule
behavioral1/memory/2984-352-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2984-357-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2984-360-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2984-361-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2984-362-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2984-364-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2984-365-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2984-366-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2984-367-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2984-369-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2984-370-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2984-372-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2984-373-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMIXLSB\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Executes dropped EXE 13 IoCs

pid	Process
2736	service.exe
2936	service.exe
1924	service.exe
2780	service.exe
1996	service.exe
844	service.exe
2480	service.exe
2428	service.exe
1776	service.exe
2872	service.exe
2160	service.exe
2952	service.exe
2984	service.exe

Loads dropped DLL 25 IoCs

pid	Process
1804	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe
1804	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe
2736	service.exe
2736	service.exe
2936	service.exe
2936	service.exe
1924	service.exe
1924	service.exe
2780	service.exe
2780	service.exe
1996	service.exe
1996	service.exe
844	service.exe
844	service.exe
2480	service.exe
2480	service.exe
2428	service.exe
2428	service.exe
1776	service.exe
1776	service.exe
2872	service.exe
2872	service.exe
2160	service.exe
2160	service.exe
2952	service.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCHVUGOGXPLGWPB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBUSBUKYAGOF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\RNPBHOOXTSHQDYC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\PBJASKGBRKLUYKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EVOTMCMGEHXTUCQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\AWVNDQMKPBPRMFI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWMGELUKQHYPEOE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUHLHFVTKJMHADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORGAXGPFKCTKJUR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\BDGSTOMPESAIAUJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCTLHCWMNKTFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\PKIKAOVEQUFRCBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDSWIJGOAHLCN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\DJOBEPRMKNCQXGS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNHFMVLRJRFPFB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\OKLWTRVQYMNAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTIHIECJEUHPJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\BCXTOBXIYDIXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DQMYPSRTFJOCNWN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HMIJURPTOWKLELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRGFGCAHCXSFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NROCOWCUYTQRDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMIXLSB\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2340	reg.exe
2196	reg.exe
2156	reg.exe
1760	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2984	service.exe
Token: SeCreateTokenPrivilege	2984	service.exe
Token: SeAssignPrimaryTokenPrivilege	2984	service.exe
Token: SeLockMemoryPrivilege	2984	service.exe
Token: SeIncreaseQuotaPrivilege	2984	service.exe
Token: SeMachineAccountPrivilege	2984	service.exe
Token: SeTcbPrivilege	2984	service.exe
Token: SeSecurityPrivilege	2984	service.exe
Token: SeTakeOwnershipPrivilege	2984	service.exe
Token: SeLoadDriverPrivilege	2984	service.exe
Token: SeSystemProfilePrivilege	2984	service.exe
Token: SeSystemtimePrivilege	2984	service.exe
Token: SeProfSingleProcessPrivilege	2984	service.exe
Token: SeIncBasePriorityPrivilege	2984	service.exe
Token: SeCreatePagefilePrivilege	2984	service.exe
Token: SeCreatePermanentPrivilege	2984	service.exe
Token: SeBackupPrivilege	2984	service.exe
Token: SeRestorePrivilege	2984	service.exe
Token: SeShutdownPrivilege	2984	service.exe
Token: SeDebugPrivilege	2984	service.exe
Token: SeAuditPrivilege	2984	service.exe
Token: SeSystemEnvironmentPrivilege	2984	service.exe
Token: SeChangeNotifyPrivilege	2984	service.exe
Token: SeRemoteShutdownPrivilege	2984	service.exe
Token: SeUndockPrivilege	2984	service.exe
Token: SeSyncAgentPrivilege	2984	service.exe
Token: SeEnableDelegationPrivilege	2984	service.exe
Token: SeManageVolumePrivilege	2984	service.exe
Token: SeImpersonatePrivilege	2984	service.exe
Token: SeCreateGlobalPrivilege	2984	service.exe
Token: 31	2984	service.exe
Token: 32	2984	service.exe
Token: 33	2984	service.exe
Token: 34	2984	service.exe
Token: 35	2984	service.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1804	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe
2736	service.exe
2936	service.exe
1924	service.exe
2780	service.exe
1996	service.exe
844	service.exe
2480	service.exe
2428	service.exe
1776	service.exe
2872	service.exe
2160	service.exe
2952	service.exe
2984	service.exe
2984	service.exe
2984	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2396	1804	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe	30
PID 1804 wrote to memory of 2396	1804	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe	30
PID 1804 wrote to memory of 2396	1804	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe	30
PID 1804 wrote to memory of 2396	1804	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe	30
PID 2396 wrote to memory of 1856	2396	cmd.exe	32
PID 2396 wrote to memory of 1856	2396	cmd.exe	32
PID 2396 wrote to memory of 1856	2396	cmd.exe	32
PID 2396 wrote to memory of 1856	2396	cmd.exe	32
PID 1804 wrote to memory of 2736	1804	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe	33
PID 1804 wrote to memory of 2736	1804	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe	33
PID 1804 wrote to memory of 2736	1804	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe	33
PID 1804 wrote to memory of 2736	1804	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe	33
PID 2736 wrote to memory of 2720	2736	service.exe	34
PID 2736 wrote to memory of 2720	2736	service.exe	34
PID 2736 wrote to memory of 2720	2736	service.exe	34
PID 2736 wrote to memory of 2720	2736	service.exe	34
PID 2720 wrote to memory of 2856	2720	cmd.exe	36
PID 2720 wrote to memory of 2856	2720	cmd.exe	36
PID 2720 wrote to memory of 2856	2720	cmd.exe	36
PID 2720 wrote to memory of 2856	2720	cmd.exe	36
PID 2736 wrote to memory of 2936	2736	service.exe	37
PID 2736 wrote to memory of 2936	2736	service.exe	37
PID 2736 wrote to memory of 2936	2736	service.exe	37
PID 2736 wrote to memory of 2936	2736	service.exe	37
PID 2936 wrote to memory of 2668	2936	service.exe	38
PID 2936 wrote to memory of 2668	2936	service.exe	38
PID 2936 wrote to memory of 2668	2936	service.exe	38
PID 2936 wrote to memory of 2668	2936	service.exe	38
PID 2668 wrote to memory of 1916	2668	cmd.exe	40
PID 2668 wrote to memory of 1916	2668	cmd.exe	40
PID 2668 wrote to memory of 1916	2668	cmd.exe	40
PID 2668 wrote to memory of 1916	2668	cmd.exe	40
PID 2936 wrote to memory of 1924	2936	service.exe	41
PID 2936 wrote to memory of 1924	2936	service.exe	41
PID 2936 wrote to memory of 1924	2936	service.exe	41
PID 2936 wrote to memory of 1924	2936	service.exe	41
PID 1924 wrote to memory of 2952	1924	service.exe	42
PID 1924 wrote to memory of 2952	1924	service.exe	42
PID 1924 wrote to memory of 2952	1924	service.exe	42
PID 1924 wrote to memory of 2952	1924	service.exe	42
PID 2952 wrote to memory of 1816	2952	cmd.exe	44
PID 2952 wrote to memory of 1816	2952	cmd.exe	44
PID 2952 wrote to memory of 1816	2952	cmd.exe	44
PID 2952 wrote to memory of 1816	2952	cmd.exe	44
PID 1924 wrote to memory of 2780	1924	service.exe	45
PID 1924 wrote to memory of 2780	1924	service.exe	45
PID 1924 wrote to memory of 2780	1924	service.exe	45
PID 1924 wrote to memory of 2780	1924	service.exe	45
PID 2780 wrote to memory of 1660	2780	service.exe	46
PID 2780 wrote to memory of 1660	2780	service.exe	46
PID 2780 wrote to memory of 1660	2780	service.exe	46
PID 2780 wrote to memory of 1660	2780	service.exe	46
PID 1660 wrote to memory of 2324	1660	cmd.exe	48
PID 1660 wrote to memory of 2324	1660	cmd.exe	48
PID 1660 wrote to memory of 2324	1660	cmd.exe	48
PID 1660 wrote to memory of 2324	1660	cmd.exe	48
PID 2780 wrote to memory of 1996	2780	service.exe	49
PID 2780 wrote to memory of 1996	2780	service.exe	49
PID 2780 wrote to memory of 1996	2780	service.exe	49
PID 2780 wrote to memory of 1996	2780	service.exe	49
PID 1996 wrote to memory of 1000	1996	service.exe	50
PID 1996 wrote to memory of 1000	1996	service.exe	50
PID 1996 wrote to memory of 1000	1996	service.exe	50
PID 1996 wrote to memory of 1000	1996	service.exe	50

C:\Users\Admin\AppData\Local\Temp\0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe
"C:\Users\Admin\AppData\Local\Temp\0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempWHTED.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DJOBEPRMKNCQXGS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPFB\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1856
- C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPFB\service.exe
  "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPFB\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempQAQRO.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCHVUGOGXPLGWPB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2856
- - C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe
    "C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempWRRGP.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKLWTRVQYMNAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe
      "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQTTNG.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNPBHOOXTSHQDYC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1816
    - - C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJRDJO.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PBJASKGBRKLUYKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2324
      - C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJTOCN.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AWVNDQMKPBPRMFI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWMGELUKQHYPEOE\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\TWMGELUKQHYPEOE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TWMGELUKQHYPEOE\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUHLHFVTKJMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQWNLP.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BCXTOBXIYDIXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHFJX.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGSTOMPESAIAUJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKTFLQ\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKTFLQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKTFLQ\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXWSTT.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKIKAOVEQUFRCBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUPYPE.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMIJURPTOWKLELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQBVUJ.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:480
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NROCOWCUYTQRDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        16⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe:*:Enabled:Windows Messanger" /f
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe:*:Enabled:Windows Messanger" /f
        16⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        16⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        16⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempJRDJO.bat

Filesize
163B

MD5
c84fae6cade4418f510bef53dbaf1202

SHA1
adc0e9b7e978c8a8835ddbbd3a0ccdd21f518bfc

SHA256
242708153ac165985ebed0a13191950afcf8d69f8300d912acc4733f1ae12acd

SHA512
4b9b9a4a9dfdff6b4d27fe3e9a1cd53df4fac54e602699572cec0539b463d621aa782f47a490e46521cd1d754b5c076739105d33785a62ae058799dfa43f8846

Download Submit
C:\Users\Admin\AppData\Local\TempJTOCN.bat

Filesize
163B

MD5
c4b45b1e2af2cea76afc4b405695c381

SHA1
673a58efa8f72f93e593f2531c2fc97658554c73

SHA256
8b22359b4624b5e92a3e62c6627a1cffa13ce500643f420664aee2f42e8c81f9

SHA512
3cefb1aabbcc4514f3a818fbbcbd74c22d01a438ef63fc226d073f9ec5e2002f39f7e2b9e0431e709d495e3b4b516d880aaf85e1dab796b4322d52348a9b3649

Download Submit
C:\Users\Admin\AppData\Local\TempNJXWI.bat

Filesize
163B

MD5
136b7fb3d1a7e4059c007d2c604439d5

SHA1
b46979b4355b2954b017ad8a50440895cafbcd21

SHA256
a81439c6b3bb3671f81542571a09edc46c19a71eb9310643271019f400f0c749

SHA512
201845d3f30dbde37cf26898934b003190d004c8408db9fee10f76aec96c5ac12f0ab6b2e565f5952bc9e96ed3c124a8d390aaf8f1bb8220e66e83ce72240bb0

Download Submit
C:\Users\Admin\AppData\Local\TempQAQRO.bat

Filesize
163B

MD5
c4d325266c9122995b6df11c27134670

SHA1
fd26959a905c6f78a1e82f530916ddaeeacb5952

SHA256
d02106e3ddfae68754c7b6c938ae2430926a3602b37a9d94cd82236d16d368d6

SHA512
d3947414a26642c5b57c45e3ea29dd00b6a215e4d2b3e4b48fb7bdc565d300fc16aa54904cc369a416b17aa59b4fbf396ca2f8632b742664bc28bee45e99eafb

Download Submit
C:\Users\Admin\AppData\Local\TempQBVUJ.bat

Filesize
163B

MD5
4312a181e4cdda08330c6bf80067acb4

SHA1
f9f90def514dcd98d07c8a93080f0aa21a5ede05

SHA256
1ac8ea8a829ff31007b7d7c33e1f686d875f8e759c346b465c5bebb520b3d095

SHA512
310c6647c0939bd1fc546910ec36aa01602ce39220538920e8086580577088611fca4b8bce8c7ddfb35984560504b1f0618c4d028aa25a5e582967a038de9f67

Download Submit
C:\Users\Admin\AppData\Local\TempQTTNG.bat

Filesize
163B

MD5
f071b34a390a7a7cd7aedc38d433dc3b

SHA1
211ead73450058d6c2e6ea9a1df09ca05a6be3cd

SHA256
1b174aea9e269e01851ad85ab46e6ff467867f7184030a172b8f941fddce52a8

SHA512
3d13f2de7fb8571f3919bb603f31039a2b151ca82d4c15bb504b1e238c1edc7fbaebff1f0dacf2ff694c8097e9af5774fffa09a2dcc9c0a19b0a1f52d46e9614

Download Submit
C:\Users\Admin\AppData\Local\TempQWNLP.bat

Filesize
163B

MD5
3829580febadb6b2f04e75f849aee1b9

SHA1
806b354aef0a27765263cc1cdefd39384593639d

SHA256
e8797e1da7039d8c54662f6fb066fa533b5255a60bc52b35d18c7e689a62a696

SHA512
4604cfc34b68845ebb1207b13f4a5ddf619d54fd3a7c4c089d0d03b9204710e754b4235cca3d7757470c3a562f4e4f011f1f22a8f1765dee186e4d08afa3d319

Download Submit
C:\Users\Admin\AppData\Local\TempUPYPE.bat

Filesize
163B

MD5
abc643b0e8eeb7605f8e2cc38f040705

SHA1
cbd9c2cfd3024d23a49fb163833402c984be3b83

SHA256
c0627fd5a2860cce90b14cac3f9f2993a120414767c4e3a29ec6003bb008a1ff

SHA512
490d75709db51fa09dafab2da82420f3f03caa78671f289a6f2ab73a7e787455f77071066f35402c01386f620c4313d509436179971b05b597432c9ace4be3af

Download Submit
C:\Users\Admin\AppData\Local\TempVHFJX.bat

Filesize
163B

MD5
80e9dadead05662d6617aea90188dbe4

SHA1
899035a614c72bcb26b31011eb63aa89b5142914

SHA256
a144536a2fd5a2737935170ceea701b469b573f32d564d65d1fa1f3f144d93f0

SHA512
33f4dd56d6d3377c72374ada5fa4541536259f456c8e4235e25cbbc6cccce126582e413dd414575dff9e2b4392a3eb057e974667c8caca33fda2929cb6d70463

Download Submit
C:\Users\Admin\AppData\Local\TempWHTED.bat

Filesize
163B

MD5
614709f61aecc836c99f17278416fdb9

SHA1
c38af1a8335bb018d483ffd787485881a616f88b

SHA256
0e48bf02fc216dcdbe0081dea0a2ed3ca93730859695708ade1745d813fae1b4

SHA512
f50dfbf5d1a05f0b055b0cbde21572ea26c72c7cb30c7195fae3d85586e82b4446f4310ed0056c1b6e2fab9739394349cc21d55cd82ea28c7886fad35b4e9602

Download Submit
C:\Users\Admin\AppData\Local\TempWRRGP.bat

Filesize
163B

MD5
b87c95e66bfa0468b23182d8e7da564c

SHA1
46a1289d495aa22a197a059eef1fd730ce95ff01

SHA256
42bed674dfa1861d0e52fd01cbef9c9091eeb8242642e0febf5c01012b48c261

SHA512
07e3deaee31c0f0c4e2639c105adeb1f7362a80bdae026f00f687f8fce71229a502075e87479d787aa70ba23167915ed18f3f878668c64f30afe6c6d5cb19b32

Download Submit
C:\Users\Admin\AppData\Local\TempXWSTT.bat

Filesize
163B

MD5
4cb8a1380adaf09f68302962d2f84832

SHA1
8b82a457e7947f676a20a0fcddd5dfb4ff7981cb

SHA256
da455d21d86ccdb9060b3e2ece025ba6a902254a058ec677915aa2d2e56d49ad

SHA512
eb51abde3aa786320d8b79e969b18e32426fc35ac3b8a9fa0219cab8ea70b51574914fc976db711f76aba015eaf29f5c2773e9c5dddfbffd5103561b3e8912ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe

Filesize
520KB

MD5
f0c938b8850aa8715680b3e78e45275a

SHA1
2b9f93bcfb01115498d30805ee3f6042be56b82e

SHA256
abae47f08bff052832543b3f2c89890f98915fbf0e592da81045aabddf50a1cb

SHA512
1f4e65775f1f8be11dbb8b81913656b692ba0cabea087a1a0c02ad42d99e5c9f469c3824bcad21d33d36ccdca0615b4a64e1dcc040c0e572c9a1ae2a1a91bbcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe

Filesize
520KB

MD5
ffe4fdd41c2bcf40c5210ee28a9461ed

SHA1
027314451fbc38f57aabc369d15efb572c0071e2

SHA256
dc44a9c706014822017acb475274194655f2ac8c827c9c279747078ab4681d71

SHA512
ddc34f032320562009a8079fef772f667beb4d7eaa3c4fe0eaa0b91598b4e5a56e7d2780a11b8c321b844d193f77d8b823c8be1a46a3179a52d0777669a62f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe

Filesize
520KB

MD5
78608c1858b599f335ab446c52ea205b

SHA1
e7a8a7ebed404aba220892b4893ff3124f4615c1

SHA256
80da014e63d660bfef151fe0299eefa792a5d5e80734d8a2ed4db8fb46e20f14

SHA512
9e8e107044a07cf2c8cc876a95dce47a4c8cde595ea1241ab93c691fb7d3b2093e62384fa6b10bc70649f523e80a500fba65b4139f0e76b2fa80a2471092b3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWMGELUKQHYPEOE\service.exe

Filesize
520KB

MD5
259aa317e6be2de4f07afea413d8028e

SHA1
68a6cfbf4ef2f95a0b87b0af0743b18814943a63

SHA256
369245371be2fccc3c09ea718c9b6ab71b907536fe5f73daf4ab26f5092a0e2f

SHA512
dc2c99cf91cf9fdb8dac57b1266b6556b8dde0212e20da8d07907ce1593948311ab2f5707a7e848b3fec27926a1ea90a82ae679ff2bc6a4940ba8365b5497ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe

Filesize
520KB

MD5
6b495114548aafe88f989a78152e2a29

SHA1
340c5254885a4dcb5c73540be7b7576a790a1e2d

SHA256
7411f156882747191689c172f4754ae8da5c61656c608523eb374c0cbe46bc36

SHA512
377b22df5943e87d016b3093aeeef26b10559a5c78fb7dd9302d3f4fb4c565c397a5d8c4777a5bd1b56f01a55af10790600fb101347487c8364ff6c9e52bd731

Download Submit
C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPFB\service.exe

Filesize
520KB

MD5
f1cf4cc69aecea9ea71062ed33e8cccb

SHA1
105b7af0d1c5172574d1b73ccb9e5cfb10d989b0

SHA256
ca4bd474a294eff89d8b67e93e9799ff5b54ac34284e957e3cb880fbb442f30c

SHA512
181765d2a95ceea79a2fd44ecc2a57650180785d9e654ac911f3c88ec9b83fef13c6fbe8e6380e7ebe0a93906eed4ffc63abbf88e7305f36f587c9ad15546884

Download Submit
\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKTFLQ\service.exe

Filesize
520KB

MD5
8af7a3ac1a8eb5ad5abc08048df6caed

SHA1
0d2e73738798712bddf471c73b1dbc9b7a0592c5

SHA256
a35c751177559911152e1aed20e4292038eb8c2be8a6f076749e6a78bb3f0add

SHA512
a3f2ebdb7db83c7fc612e174eaaefe158a77b4e644f274025cfa27fb937121ab0a5dcb54ba45285f14991e068a8bf4c4b34a27adad103dc89b6ac53555865399

Download Submit
\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe

Filesize
520KB

MD5
6e0e5410d4d3f9f3d13b458df8f0facb

SHA1
2a71c738cedb512a3d0be6e7516357cb98b09182

SHA256
8227ad10d9381df55fe6c70b2bc2086e5956d9a540399578bd06c140254cbd08

SHA512
e6cb67402e903dfbb684326e73bd1377d27432be4f695ebbdc57e0f736b64d63269c50e140fec867c05aa7d82d310e19c3e16736ad0921a06a99c1b201648523

Download Submit
\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe

Filesize
520KB

MD5
a6714e2364066bc8beb81cfa1202ea31

SHA1
4d6c13ee2d4423cc22be31f937529e2c83baf072

SHA256
20701ead587f77373bbe127d7560db15ac80bc6d0f1f3aab0d7d65d3141e6b1a

SHA512
1d7ece9759da391677bd3adae932d2c99643954fa22936836fd9d5a0f6358e2c18aec6e40fc3513434adeea810c37ac6a0cd058adc7a37f56764bec5d74aad06

Download Submit
\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe

Filesize
520KB

MD5
873176164d203bd42e56329d0ce3967e

SHA1
9d4e0657d2e6880cc60583c5bd00732e40260fd6

SHA256
fde38d4b42216c2fa0b983146f300f2737e17d072738a1dae43b34daea4da4ee

SHA512
bcfa2cff6d1470fa11483a37d7c10ed1aa7857a0d7988eb46293790c31058bd2f185921d7ef143e2d0ba7e55df7e8441275bc89a266f937dcd9689683b94d401

Download Submit
\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe

Filesize
520KB

MD5
fd22f13feb101173a8497731ea7787ee

SHA1
1a5d94351a5a54d4c9057a56a5b9d616b65e4bf9

SHA256
e393cafe53626583f99f176a6830f8c32ce13cff34deefbfa091ccd843159c6f

SHA512
4ab7953c1d39df6c9989f410c2b25756e9039c870a08bc90b4ff8d7baceea3b8afd84a52b1d47498012fd68894e56c4e933adc5d666454b5004dc8a8be6248ec

Download Submit
\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe

Filesize
520KB

MD5
c0ecaed252dc5c87b6cc5169a7d301ab

SHA1
38721c1159c0414f01b6e70f0f7a05028263fed1

SHA256
bde4f344b41cd2752bd45e1c92fb666bacdfcda7dbb0f2760edc4a9a325be36e

SHA512
d48d22848bc37a7352a07bb4d29814294a918c20c2d30d47754b4d44f51d53959f4aff557e0b75ce384c81a3f23249e20bc5729af0918c22135272dff51c93fa

Download Submit
memory/2984-352-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2984-357-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2984-360-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2984-361-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2984-362-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2984-364-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2984-365-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2984-366-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2984-367-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2984-369-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2984-370-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2984-372-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2984-373-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads