blackshades | 6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003

Analysis

max time kernel
149s
max time network
140s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe
Size

520KB
MD5

9736885aaded8b7387156d4b4888dc8b
SHA1

d29145c7448a7666b7bc4d3688218e08c8879e87
SHA256

6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003
SHA512

9aed30dd057d0be3387787dc32a2dc884ffaebc3233385893f441e751dfd594c02036977def09cf92a25894ca66653de01c042081e6fe950b3ec12da217bec3a
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioX6:zW6ncoyqOp6IsTl/mX6

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 7 IoCs

resource	yara_rule
behavioral1/memory/2064-738-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2064-743-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2064-746-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2064-747-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2064-748-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2064-750-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2064-751-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHBG\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBRMAHBG\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Executes dropped EXE 29 IoCs

pid	Process
2804	service.exe
2728	service.exe
2156	service.exe
2428	service.exe
1924	service.exe
1540	service.exe
3024	service.exe
748	service.exe
2752	service.exe
2140	service.exe
1260	service.exe
2704	service.exe
1512	service.exe
2208	service.exe
1356	service.exe
1716	service.exe
352	service.exe
2876	service.exe
2772	service.exe
2376	service.exe
2860	service.exe
2952	service.exe
2324	service.exe
1636	service.exe
2136	service.exe
2524	service.exe
2792	service.exe
2724	service.exe
2064	service.exe

Loads dropped DLL 57 IoCs

pid	Process
2508	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe
2508	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe
2804	service.exe
2804	service.exe
2728	service.exe
2728	service.exe
2156	service.exe
2156	service.exe
2428	service.exe
2428	service.exe
1924	service.exe
1924	service.exe
1540	service.exe
1540	service.exe
3024	service.exe
3024	service.exe
748	service.exe
748	service.exe
2752	service.exe
2752	service.exe
2140	service.exe
2140	service.exe
1260	service.exe
1260	service.exe
2704	service.exe
2704	service.exe
1512	service.exe
1512	service.exe
2208	service.exe
2208	service.exe
1356	service.exe
1356	service.exe
1716	service.exe
1716	service.exe
352	service.exe
352	service.exe
2876	service.exe
2876	service.exe
2772	service.exe
2772	service.exe
2376	service.exe
2376	service.exe
2860	service.exe
2860	service.exe
2952	service.exe
2952	service.exe
2324	service.exe
2324	service.exe
1636	service.exe
1636	service.exe
2136	service.exe
2136	service.exe
2524	service.exe
2524	service.exe
2792	service.exe
2792	service.exe
2724	service.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\TQEQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RRBYNMNJHOJMUDO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\PVMKOJQFGYWFGPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOGMTFFSYQYMWNI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WXUDDOVLJNIQEGY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBRMAHBG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UGEIDLWAXTRAATJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HPGYQMHBBQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\FBBWREMGLITQOSN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUPSWUXINSFCRQE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\FEPMLPCGCAQWOFE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBYUSBUKXAFO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\PLMXUASWRNOBHOO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNMUJIJFDJFVIQK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNOJIKANVEPUERC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTJTNLOEJXWIQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XVUYLBPLIXNANPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SUKECJTJOGXOCND\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBNWBTYTPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKKLGELHXKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYQMHXQBRBQROXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFUSISMKNCIVUHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\FERIVRPUGAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPVMUITJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EPMLPCGCAQWOFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXCUSBVKYAGOF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\SXTHUFDIVWJOWWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VCUEQQRMKRNCQXH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\INJKVSQUPXLMFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TLKSHGHDBIDYTGO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\KTPKTFUAEUVSBMT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NJXVMWPNQBGLYKS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UGEIDLWAYTRAATJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HPGYQMHCBRSPXJQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XLMIGIYLTCNSCPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENWFBPUFGDMEJYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGCACXSGNHMJURP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRTXVYJOTAGDSR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\BNTYKHLGODEWUDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTQLFAFUVSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMQDHDBRXPGGIDA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCVTCVLBHPGFQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UGEIDKWAXSQATIW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPGYQMHBBQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XOKJWDMWTEAYLEY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTHHIDCIEUHPJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JOCOWNBCXTOBXIY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVUWRPWRHVCLCW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\PKILAOVEQVFRDBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDSWIJGPBHMCO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\PFSOMRERTOHKLVQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JETYRHRLJMYCHVU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUCDOULJNIQEFYW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAAVBRMHBGV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VVDRQCLCUMIDTMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WONVKJKGELGWJRA\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2676	reg.exe
1440	reg.exe
2172	reg.exe
2656	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2064	service.exe
Token: SeCreateTokenPrivilege	2064	service.exe
Token: SeAssignPrimaryTokenPrivilege	2064	service.exe
Token: SeLockMemoryPrivilege	2064	service.exe
Token: SeIncreaseQuotaPrivilege	2064	service.exe
Token: SeMachineAccountPrivilege	2064	service.exe
Token: SeTcbPrivilege	2064	service.exe
Token: SeSecurityPrivilege	2064	service.exe
Token: SeTakeOwnershipPrivilege	2064	service.exe
Token: SeLoadDriverPrivilege	2064	service.exe
Token: SeSystemProfilePrivilege	2064	service.exe
Token: SeSystemtimePrivilege	2064	service.exe
Token: SeProfSingleProcessPrivilege	2064	service.exe
Token: SeIncBasePriorityPrivilege	2064	service.exe
Token: SeCreatePagefilePrivilege	2064	service.exe
Token: SeCreatePermanentPrivilege	2064	service.exe
Token: SeBackupPrivilege	2064	service.exe
Token: SeRestorePrivilege	2064	service.exe
Token: SeShutdownPrivilege	2064	service.exe
Token: SeDebugPrivilege	2064	service.exe
Token: SeAuditPrivilege	2064	service.exe
Token: SeSystemEnvironmentPrivilege	2064	service.exe
Token: SeChangeNotifyPrivilege	2064	service.exe
Token: SeRemoteShutdownPrivilege	2064	service.exe
Token: SeUndockPrivilege	2064	service.exe
Token: SeSyncAgentPrivilege	2064	service.exe
Token: SeEnableDelegationPrivilege	2064	service.exe
Token: SeManageVolumePrivilege	2064	service.exe
Token: SeImpersonatePrivilege	2064	service.exe
Token: SeCreateGlobalPrivilege	2064	service.exe
Token: 31	2064	service.exe
Token: 32	2064	service.exe
Token: 33	2064	service.exe
Token: 34	2064	service.exe
Token: 35	2064	service.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2508	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe
2804	service.exe
2728	service.exe
2156	service.exe
2428	service.exe
1924	service.exe
1540	service.exe
3024	service.exe
748	service.exe
2752	service.exe
2140	service.exe
1260	service.exe
2704	service.exe
1512	service.exe
2208	service.exe
1356	service.exe
1716	service.exe
352	service.exe
2876	service.exe
2772	service.exe
2376	service.exe
2860	service.exe
2952	service.exe
2324	service.exe
1636	service.exe
2136	service.exe
2524	service.exe
2792	service.exe
2724	service.exe
2064	service.exe
2064	service.exe
2064	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2756	2508	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe	30
PID 2508 wrote to memory of 2756	2508	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe	30
PID 2508 wrote to memory of 2756	2508	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe	30
PID 2508 wrote to memory of 2756	2508	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe	30
PID 2756 wrote to memory of 2876	2756	cmd.exe	32
PID 2756 wrote to memory of 2876	2756	cmd.exe	32
PID 2756 wrote to memory of 2876	2756	cmd.exe	32
PID 2756 wrote to memory of 2876	2756	cmd.exe	32
PID 2508 wrote to memory of 2804	2508	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe	33
PID 2508 wrote to memory of 2804	2508	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe	33
PID 2508 wrote to memory of 2804	2508	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe	33
PID 2508 wrote to memory of 2804	2508	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe	33
PID 2804 wrote to memory of 1916	2804	service.exe	34
PID 2804 wrote to memory of 1916	2804	service.exe	34
PID 2804 wrote to memory of 1916	2804	service.exe	34
PID 2804 wrote to memory of 1916	2804	service.exe	34
PID 1916 wrote to memory of 2620	1916	cmd.exe	36
PID 1916 wrote to memory of 2620	1916	cmd.exe	36
PID 1916 wrote to memory of 2620	1916	cmd.exe	36
PID 1916 wrote to memory of 2620	1916	cmd.exe	36
PID 2804 wrote to memory of 2728	2804	service.exe	37
PID 2804 wrote to memory of 2728	2804	service.exe	37
PID 2804 wrote to memory of 2728	2804	service.exe	37
PID 2804 wrote to memory of 2728	2804	service.exe	37
PID 2728 wrote to memory of 2056	2728	service.exe	38
PID 2728 wrote to memory of 2056	2728	service.exe	38
PID 2728 wrote to memory of 2056	2728	service.exe	38
PID 2728 wrote to memory of 2056	2728	service.exe	38
PID 2056 wrote to memory of 1432	2056	cmd.exe	40
PID 2056 wrote to memory of 1432	2056	cmd.exe	40
PID 2056 wrote to memory of 1432	2056	cmd.exe	40
PID 2056 wrote to memory of 1432	2056	cmd.exe	40
PID 2728 wrote to memory of 2156	2728	service.exe	41
PID 2728 wrote to memory of 2156	2728	service.exe	41
PID 2728 wrote to memory of 2156	2728	service.exe	41
PID 2728 wrote to memory of 2156	2728	service.exe	41
PID 2156 wrote to memory of 2180	2156	service.exe	42
PID 2156 wrote to memory of 2180	2156	service.exe	42
PID 2156 wrote to memory of 2180	2156	service.exe	42
PID 2156 wrote to memory of 2180	2156	service.exe	42
PID 2180 wrote to memory of 2916	2180	cmd.exe	44
PID 2180 wrote to memory of 2916	2180	cmd.exe	44
PID 2180 wrote to memory of 2916	2180	cmd.exe	44
PID 2180 wrote to memory of 2916	2180	cmd.exe	44
PID 2156 wrote to memory of 2428	2156	service.exe	45
PID 2156 wrote to memory of 2428	2156	service.exe	45
PID 2156 wrote to memory of 2428	2156	service.exe	45
PID 2156 wrote to memory of 2428	2156	service.exe	45
PID 2428 wrote to memory of 1280	2428	service.exe	46
PID 2428 wrote to memory of 1280	2428	service.exe	46
PID 2428 wrote to memory of 1280	2428	service.exe	46
PID 2428 wrote to memory of 1280	2428	service.exe	46
PID 1280 wrote to memory of 2228	1280	cmd.exe	48
PID 1280 wrote to memory of 2228	1280	cmd.exe	48
PID 1280 wrote to memory of 2228	1280	cmd.exe	48
PID 1280 wrote to memory of 2228	1280	cmd.exe	48
PID 2428 wrote to memory of 1924	2428	service.exe	49
PID 2428 wrote to memory of 1924	2428	service.exe	49
PID 2428 wrote to memory of 1924	2428	service.exe	49
PID 2428 wrote to memory of 1924	2428	service.exe	49
PID 1924 wrote to memory of 916	1924	service.exe	50
PID 1924 wrote to memory of 916	1924	service.exe	50
PID 1924 wrote to memory of 916	1924	service.exe	50
PID 1924 wrote to memory of 916	1924	service.exe	50

C:\Users\Admin\AppData\Local\Temp\6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe
"C:\Users\Admin\AppData\Local\Temp\6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XLMIGIYLTCNSCPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2876
- C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe
  "C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempEBQYP.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PFSOMRERTOHKLVQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2620
- - C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe
    "C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempWENEY.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGEIDLWAXTRAATJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1432
  - - C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe
      "C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTOWKL.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2180
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGCACXSGNHMJURP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:2916
    - - C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQYBUU.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBNWBTYTPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:2228
      - C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPUGEI.bat" "
        7⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYQMHXQBRBQROXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVUHP\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVUHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVUHP\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVJKKT.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FBBWREMGLITQOSN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "
        9⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERIVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHCIWE.bat" "
        10⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FEPMLPCGCAQWOFE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCJWES.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPMLPCGCAQWOFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXCUSBVKYAGOF\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\JMYXCUSBVKYAGOF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JMYXCUSBVKYAGOF\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXSSHQ.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLMXUASWRNOBHOO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDJFVIQK\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDJFVIQK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDJFVIQK\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBPYLK.bat" "
        13⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXTHUFDIVWJOWWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXMIRI.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYKHLGODEWUDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBFXWS.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNOJIKANVEPUERC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVQQFO.bat" "
        16⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INJKVSQUPXLMFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYJHLG.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KTPKTFUAEUVSBMT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVMWPNQBGLYKS\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\NJXVMWPNQBGLYKS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NJXVMWPNQBGLYKS\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFFYOJ.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUCDOULJNIQEFYW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWMNKT.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVDRQCLCUMIDTMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJXFTS.bat" "
        20⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMQDHDBRXPGGIDA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBHPGFQ\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBHPGFQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBHPGFQ\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXFNEC.bat" "
        21⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGEIDLWAYTRAATJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempENEYC.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGEIDKWAXSQATIW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSDXWL.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQEQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFVOST.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XOKJWDMWTEAYLEY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHPJ\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHPJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHPJ\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDHIRN.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVUYLBPLIXNANPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SUKECJTJOGXOCND\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\SUKECJTJOGXOCND\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SUKECJTJOGXOCND\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDIXYV.bat" "
        26⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JOCOWNBCXTOBXIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVCLCW\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVCLCW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVCLCW\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXWTTU.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKILAOVEQVFRDBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGPBHMCO\service.exe" /f
        28⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGPBHMCO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGPBHMCO\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTKITR.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PVMKOJQFGYWFGPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWNI\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWNI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWNI\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWFFOK.bat" "
        29⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WXUDDOVLJNIQEGY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHBG\service.exe" /f
        30⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHBG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHBG\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHBG\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHBG\service.exe
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        32⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHBG\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHBG\service.exe:*:Enabled:Windows Messanger" /f
        31⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHBG\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHBG\service.exe:*:Enabled:Windows Messanger" /f
        32⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        31⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        32⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        32⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempBFXWS.bat

Filesize
163B

MD5
45b7c930eea4b7461fc3e8c269e6ba73

SHA1
b988610a96c1470699db8363f8308fd8eacc8eb8

SHA256
1c113939a3b405cf978ff75962d713fd05b9ba477232663c1ee71eb6e7b90569

SHA512
0ba1b77279e371e3a6aa64b5b00f0f5be1d6b8cf65160874f93fde16e094d0fb202a29ad3f44dc52538dc285fd45f2f16e8db237829c06f9717ec66609057931

Download Submit
C:\Users\Admin\AppData\Local\TempBPYLK.bat

Filesize
163B

MD5
fd1d13bda944b76d047292d1506c4e35

SHA1
ef3550d5cb21aa824c48f67a30c5d89c4d537d77

SHA256
a5597a65241fc492acc732e99bf4f506184b0097adc2ea3db800882d34aefed3

SHA512
302391e10ce0433a050284241d478cc1adbf4d6d1191af2866e789d7e71278cc67d48c0671ab63d46f179de70af8fb66111cc59f475452cff0faa8e7a8d00457

Download Submit
C:\Users\Admin\AppData\Local\TempCJWES.bat

Filesize
163B

MD5
c50d79b236fc07a5a145d77ae9d6ba1f

SHA1
fb4ee16bd4641bd879c679df28186a614df8418b

SHA256
f0769ec766bcc17df668ea2f6120d352b890dacee247b7e951db4b102f2bcb54

SHA512
131fee614987ab4762d752f5dc8708a90d9686d8e6375e95bd92a7ff316fb48d919f1f6f51bd1a45072d3d4d5f6a11691df8deef3978401b54c5fad25bd0d579

Download Submit
C:\Users\Admin\AppData\Local\TempDHIRN.bat

Filesize
163B

MD5
5d7ff16ee794e335dfb44d4a0e928ebb

SHA1
048ead42d423ef4f3c89be7203d65bac5aef5d09

SHA256
d2403943c6075d785784a4a5a02f3d2b7f039e04524a566cb1c5fd2e25d989c7

SHA512
0d966f4ab21a7e0a455db4484d985084135e275a85e1853b00944cf8a6650f7857d729b1d36243a3e0025860e1bc23feb845d3d76c0e17ef7d564da659de6187

Download Submit
C:\Users\Admin\AppData\Local\TempDIXYV.bat

Filesize
163B

MD5
c337f536a320aa09c88fce660e7f9dba

SHA1
a21a6c8d98cbfb4fd4d91723baf2c2ec1f18aa8c

SHA256
8b2a7f4a22ee76642f84bad2577d24bad7a0fb836044dd78abdfba0fda9e1384

SHA512
8d5944d5b3dd57e80cf61363cf426b45e3d2652128749775bdfd66f83bff4bddb31a8a39cf6a6199c65ffcf10278358c958b414ec4782f430adc21c1741380ab

Download Submit
C:\Users\Admin\AppData\Local\TempEBQYP.bat

Filesize
163B

MD5
f6579de006d96261ad33ae641e00acef

SHA1
94e0075bb0ccc965c178ff620d0828975a370777

SHA256
0ca91d0067c31c5c239410da93c654438fa4c610bab935d91dee6a43ff22f2f1

SHA512
e9028dab17631d87d8ba432240978a1f2bcee5df8ccde2044c3c8aab67943d3dba90e5442dab93a504d9450b9e9d7fd083560870f4134ff060fa61f7a9834190

Download Submit
C:\Users\Admin\AppData\Local\TempENEYC.bat

Filesize
163B

MD5
00c6236868f69466e3398240045f87d0

SHA1
3f3b4a0b3b44d67b155a4582def2724b3653ab31

SHA256
2cb4eb06f1cf458374ba57ef11ec6391e9169ed5714d2fff581dcd4e94accc93

SHA512
9a425bac02df432bc254270b65f97c676218c82f137fc76f44b4eb1b6835c11f134f4e579eb49f5f015db0baaf1683288599771a432d626e04c42f9d7a6011f9

Download Submit
C:\Users\Admin\AppData\Local\TempFFYOJ.bat

Filesize
163B

MD5
8b090728fee03de443e08a7b37f627d3

SHA1
3f8d656f7326f408eb6e084f5ace832fa600d130

SHA256
6f121e5f028070a332505d8b0f660c29f7965d2e55194775ef573df9ef0c3865

SHA512
68f0bc3fde3acbfa300a2702e8cce74600557b326d6db2ef794af6abfa2f376bbd2e0e2f9eac37f8e0518bf302de7bf6d1c9a09142ae13240cacacd9c6262d79

Download Submit
C:\Users\Admin\AppData\Local\TempFVOST.bat

Filesize
163B

MD5
8f4f69d24b4ebc6930bc1e56d234978f

SHA1
537ce5d02f37a4cd638f863e3f45b19de5ffd63f

SHA256
baaf6046299364d8c30191421a18369bc4a8deffbf54ed23551a19818b5c8eaa

SHA512
7b8845afcebd8963edf10c822118ffe28da53e5d7b315fa0174336ba62759826fb4f797a3ad54fd9cfbfe76b67721540b95d632fa66c79aa525706c5cc559fc5

Download Submit
C:\Users\Admin\AppData\Local\TempHCIWE.bat

Filesize
163B

MD5
6680d055114ccab2fc1c75b9218f0227

SHA1
e5d1791b8bd7f1707b0f152156df4e49845a736d

SHA256
4fd47e0f04a731ad6e4d8a4233c3a1beda87f48b3651291352ae92eee93bbe0b

SHA512
6102e80d1e85220aece0b67b30d420340e31a213869b5f7d25cad39736e288bb7cdc0f7ba551d7d3c851954868a5e2f484e65db559969f65f796d41601f9d747

Download Submit
C:\Users\Admin\AppData\Local\TempJXFTS.bat

Filesize
163B

MD5
14bc128c2822df50a76a7d2bfc5a3b62

SHA1
3921b0142ff18f4f7dc109e8231fa637e5e0f99b

SHA256
7e2d6ff47243ac2a9a573824a90ed9e33f1cf74a6cfc5073a2dea040016cd7dd

SHA512
97f26e1ba5a955d4464385da622070436c261ab97436a82000261ebd2bf9bf4f8d9d4cad1d76a54da3be487e6c0e4e86b8ccade9c93e1782189bd7703a8775d0

Download Submit
C:\Users\Admin\AppData\Local\TempNOXTA.bat

Filesize
163B

MD5
4febd0c69ee4be6773ca67e0e845b982

SHA1
176496a4a3d6cb0371deeba7367c63d290169c9d

SHA256
0a869712ea250aa0f1512fd5feef21044ff2b2b78bf1173adfac70039415706c

SHA512
f3574c2afeb12abc3fc528fa09e2786e4e3b41dc0aea0e351df3f5005536981e947753df9c3de78e06a6f9892d34cd7c33cf404ea5a1bdd205936fcad310049a

Download Submit
C:\Users\Admin\AppData\Local\TempPUGEI.bat

Filesize
163B

MD5
e406267cef296dd62299d1888bc91c6f

SHA1
bde1ea7f545c2c63d366d1c832f33eb4619d9398

SHA256
343fe68dfa9b4197c32a397e703912769804b33a13b5439603f9a3f88705a033

SHA512
1b3cf39f0cde39d37a096353cab7ed66fe94d8187b928890873faa3cca4bf8ef26cd04ab0833ada05517a80c0a87199f9dda4499453d225484cd92acade5ad8a

Download Submit
C:\Users\Admin\AppData\Local\TempQYBUU.bat

Filesize
163B

MD5
e2fde989efdfa9c12af7ee59baa74dfd

SHA1
496290188649323aeb029f1cf8f70cae43d00d99

SHA256
f31507d060c2098a8887e1d7b0fd0027d7c1377c0619d70c81536feb4f0344b2

SHA512
6e49925b5f00549760fdedebc04f53716c4943d0d1d0f303ef771a061767b8cda3e6226f564e8641433fac63d7cf33b598615f31c5059779093239d4351fe282

Download Submit
C:\Users\Admin\AppData\Local\TempSDXWL.bat

Filesize
163B

MD5
1a3da698ee8fa36e10bff6662c71beca

SHA1
6ef93721e781a68c788b0f3adf5c402e66b49f00

SHA256
02effddc870eab367d08f4d09ebc710e98bc02f3ec9fcca5a98db8e9b0637e3a

SHA512
61ed3b5665204732e3a6d2398e769a5fe6414afa3560a2451e38a5ce5bc4c63a30ebdca8fc84a137fd7f9c0d29682d1b3806630a9c17db2d5d610357500b0200

Download Submit
C:\Users\Admin\AppData\Local\TempTKITR.bat

Filesize
163B

MD5
9a5ceb53cbaab1b453caa76f455462d9

SHA1
cba6cf51b957f7fdf063cf0b090bdf8ea1b85e83

SHA256
e907e77ce5f718160ef4411b4490577b70d10fa53771d167e83cf1cd5402836d

SHA512
5d78b307e09a62462cf119ca4f954d8219c10fbc3462e926f13be89e7cd862cb72f37379c11d3f60670f039b60087b640eb074d8629be3cdf8341859c8bfe538

Download Submit
C:\Users\Admin\AppData\Local\TempTOWKL.bat

Filesize
163B

MD5
2e5ef17ae399e8cc24dcd07a4f742b24

SHA1
9e8b13e343296b273e44a6f9fa4a5e380a22daad

SHA256
78cbc723dfadb08f22c38613a8db734b2ba186e7f4480c3e1e1848a16728c987

SHA512
4df64b596a3f08b9e6ffc3c55e55fb826f6f6dd01a37412afca514f2d608c8dcb85b41c79a7300ae6be562bbe081f5c270f09daabd3992308fa5f96345e7d7dd

Download Submit
C:\Users\Admin\AppData\Local\TempVJKKT.bat

Filesize
163B

MD5
e1aa77ec10b36c8029fbeef215adb276

SHA1
9cf99ce961e32fddf3ad986134f51f931db15d66

SHA256
30776d62595de30ea3cb0845a2b745687b39d3c0f1acada091953cd906bef92a

SHA512
80762902ee8ebd72cb10f1be4d9597f396369ac5ad20dd4bf96e045be0a386b11dfb452da13e18bc9074d952ce6f7a00c6ee08baf85f0e15f1795e1a73c16d89

Download Submit
C:\Users\Admin\AppData\Local\TempVQQFO.bat

Filesize
163B

MD5
3cc8db8f1b9a8047561ef21292228b07

SHA1
aaa2f3b7f1acd31b1fb2434bb05321d79779e801

SHA256
7c75ecbff079359cd1f5c877aaf75fc2f175a04611db6fb23b3152fbe02ef5b1

SHA512
10aea21dfd242036065f7df402b437a7bd6680172759d5a379d742fdeb5212d08ffdd59dad6193ba3effde8748ee34432564e82ce6f44d10958b3e777a177114

Download Submit
C:\Users\Admin\AppData\Local\TempWENEY.bat

Filesize
163B

MD5
96d0789c29df9db5bb03aa448d5560b0

SHA1
5912d51ab01f269a16f9061d07a88bb1c91615bb

SHA256
43bf63877a4452f2ea28a618a6588ca210754bed763ea7cdb5efce2f27be204c

SHA512
7af02d0307fd79402ebfed87207afed59b5eb9f2b029a58fd377767539551078ccdbc5cc78583a69a6812e58816a1c6dca133750d0f7b92836e022b328187700

Download Submit
C:\Users\Admin\AppData\Local\TempWFFOK.bat

Filesize
163B

MD5
fac9bdf0cb269ed3317a66dda5345015

SHA1
7212f75bab1062289560015049bae729a47848bc

SHA256
a2a363207d60691be6ec12d9235ea172ba869ad4cd2a3655800910779470fa63

SHA512
8cd2589bfa16743ed6853d6520a842e68c3b7acca66700f7fe0cbab1201e71a03d6ebf54d7db0ddeeb2cade20d1f2928d89373780bf6f89a2679dce5f3540c77

Download Submit
C:\Users\Admin\AppData\Local\TempWMNKT.bat

Filesize
163B

MD5
54863e82575d965546d8f79d5c7233fb

SHA1
5d51cf94da3f42423bf4402e58009ff53884501f

SHA256
49b49933027f02fe5c16c9d0d194ae15ec5031708972785d4ea85f76e606c047

SHA512
59b06ef5bbfc785ccbfe1aa9eabca181dc476fe990de246769fb1979c2d000603ce0ac5095dd7d083bdc259b564ccbbad947f2bd91d9e537173f6f2fd8787b0b

Download Submit
C:\Users\Admin\AppData\Local\TempXDVUQ.bat

Filesize
163B

MD5
81f5f7a5b13b716822c07801e6bd162e

SHA1
3210cec92841391b12f98e4ecc96edfb01f40871

SHA256
b5e4bce2d6cc217e100805ced6bd9b305f2f67ed0327060e3d67ed2944304412

SHA512
8cd4bd199adeea32a5d975fcc9ba2cb622b66a443588bac78cfb29a5fde700ea262a2df9fe967a90ed730dcefde9dbdd0131f88177d9d7096f2b1a2273ea611f

Download Submit
C:\Users\Admin\AppData\Local\TempXFNEC.bat

Filesize
163B

MD5
e7c5253411098caa8e1794378a7ab8be

SHA1
ce77dd128887e0b00181ee7b5bd0c198251768ad

SHA256
637f177c2cc9445c7529d71c7c48ebb25c9394ee6195c697aa0705a181b7858b

SHA512
352e2decfdacbf9f9bdef7735c2dd545ab52aae9d64e830b74f8980b2dfd0681dd2bbe6075b5838109ec7f88ed86da098cca6a374efbac42488aa30437478c2e

Download Submit
C:\Users\Admin\AppData\Local\TempXMIRI.bat

Filesize
163B

MD5
69fd85dbaf4dcbef556bcf149f1dda5d

SHA1
1ba41fa17e55e62b36bbad12791376f690c01f7e

SHA256
2e9685877dafc63293ffaf96367653854d246e459a2825a307996757f08e5fcf

SHA512
ee381a503939aa14fcc493ac6dbeb19c7ea1beccf0f16adef27a75d11daf7e85413ea711bcc80c495df294fb9626f1de5f1927dc8010ee097a26b03493fc0171

Download Submit
C:\Users\Admin\AppData\Local\TempXSSHQ.bat

Filesize
163B

MD5
6f1bce02e9bcd5a8203516cb7ab093c8

SHA1
3a2ac48ad70de53caa318a0a04909acf6a0f40f1

SHA256
4471ca295530476d21a48bf42a880c01d5062790c7dc78fbbc6417976c7e5aeb

SHA512
02eec476d1811f9bc9925403ee095d4e6d8f80a52b9a8633a5ab9112b9d10f60d0e6fbd0ad33197a5bacbc61152c3eacfdfdff303fbb50eacfe1cbccd94e6656

Download Submit
C:\Users\Admin\AppData\Local\TempXWTTU.bat

Filesize
163B

MD5
aa10094ff65a0e7402f5568b23ebfc95

SHA1
244feb6399ed8c8e2e819e21d366e8d8a039ad91

SHA256
4f64efabc8178271cc4a1ca265ef778782b50d3dd09c87539163bd46f88e5075

SHA512
f4bb4060a55d74dd1272262e97782ec1c365c002989c690a1ee6d6ebba65c501babff3bf24218a49d33f839af6fa993618f29756b39754ba232496efa0f1a30a

Download Submit
C:\Users\Admin\AppData\Local\TempYJHLG.bat

Filesize
163B

MD5
9b026e2383f5dd4ef308ad64fbb16ab2

SHA1
65c6aaad95a174921992c65875be6627beb49ee7

SHA256
9cfaca5251b8ad8ca309546674bda40414bd72ce4afc47cf2b8e18c6083c9b57

SHA512
7d7608d3f6057022d0f8ad1c2fb15b46ac11c250d5129311d08873577bda5756a160d04d8482b5766dffb0bbd59a84b3f9728d0eef458f73483174a8f639586a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe

Filesize
520KB

MD5
9826ba0eec80afd2036c9b2f6bb964a6

SHA1
988bd0fb7562eb865a7c541df8b5eabf5667c821

SHA256
9c9eb49f8bcb84b856c00e1d3f9005cbcdfe6f5e96adc6596de50853c7b50702

SHA512
dca860159a872470d0317c59bf76f8f221be1d583f8a29093800a30b932fb12cd4102efc879f57a05f8024e63d5116e04cc44d7b24eed03633f8d47340b86c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe

Filesize
520KB

MD5
9acd43b6ed19eb0dd7352ba45ef4f076

SHA1
0f3e1821e80aba8bd292bff402749977a3037d69

SHA256
4a98859940e9de133353cafec62f1b7f19c5035e8d7b370c64ff5a772ca80209

SHA512
0db985550ca6a78d42787a45dbdc252233ac5829bb32f607b8e6210e57b7e8939dffbf32e258859a3ad3e8c65c27d7687e1d8ea6a20ea535c06fde4fd0980e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe

Filesize
520KB

MD5
e64117e1eabf5c9eab6eae7281a52a3f

SHA1
c5083373187daa7ba27dd50c18ac9474a5c874af

SHA256
c25b88005ba7441f5bfb5f4dee60fdece380ce6ace40571ad7deab00c35b01e5

SHA512
61f81f292b2539956ce43a0463c60956e0242946c7dc71cd5a9570543d3d83973997f52e03b5a79813325945933abb32df1cfeb6b22acd6a664f322ee9443fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe

Filesize
520KB

MD5
dcd7c1165b34d8e452479e614c0dea99

SHA1
51cfb97823b8f8e8ae101da4986837a12cc76859

SHA256
82eebc2651836de1de5b2fdea1d9595897e57cc7263355bab9054d88ef2efdb9

SHA512
04e37bb2356d77f69924693c6f726e846fe5420f937e8255e882b4025639e3b3c66cc274a9d1dc6002ca16b9e3c7a8604fff9023b90c63e20330a8b1144675bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMYXCUSBVKYAGOF\service.exe

Filesize
520KB

MD5
bff52334f1d9bc07176bb61c5d11a0ee

SHA1
8d9acf726555b0714ef6bc868b8eaf9106998025

SHA256
ab0dec8283a84b9df53c50c5c2d4fd9c56a48c99cd10adfe4835e0bccd4994ca

SHA512
c1bfa42efdc3c24df8519b5d6044613905d96b4c0bf62418e8e08d3ca8e95a3587800b6477d57efd9e994c360d946ad4204ebf6a84a9fad8bc4ed03537c5edb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe

Filesize
520KB

MD5
5da1f7820fea258605bb0e117802a894

SHA1
3f3e3cdacb6f8ff536a360f558567329de963f68

SHA256
29938708a82b2180e759ccf1eee19cb14602cacd1c7a0318bc0b8882c25fc03c

SHA512
10305ee33bb25e2c0dc1bf946269bc66f5b2e05c800618ee2ac1fb03963400a7e6a166248aa4993ae3b31d77d47e6c56822a7f28c1b35fd541ad835ebd9e2f97

Download Submit
\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe

Filesize
520KB

MD5
30a661c369655b176135a95f58c85059

SHA1
798d9b3bd94de40d0419114423555da666cfa70d

SHA256
086f5e84e43aa4949aae1d248e7e1edc8619c626fadfe7e833f34e1c0b095768

SHA512
a7020ef3d7cba966d23477af3636bb6787dfff864366e234df0732212a4fc5007995c4fa6725cd6104299798608a604ed6c0bf157cccfc50ebcf5fdce0175861

Download Submit
\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe

Filesize
520KB

MD5
47dc3f7bf687fbacd1570ae6ee430b27

SHA1
50d9121b02529066b8916f7977c283d06945e87e

SHA256
2e7a2238091aabfb441fa6022667d2e5ad83a8e903a81d39cd8d980f0c1bbab7

SHA512
3ec3bcfdbb719e541c666c8f76cee8555c046e09fa55a7653ad7f9a1fd8479de31c483a421cfa1591a2c17793518034bcc50532bbec858a4572503caec101151

Download Submit
\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVUHP\service.exe

Filesize
520KB

MD5
d252ffe265f9adb8622efd919273d6b9

SHA1
f8d74956691ad160c50c32d7cf46a235cc6772b2

SHA256
38650832411f77cb0cf05e3bea27e440656d26669929e0f0508bae5b8bee391d

SHA512
8634d8f39c7f380b61ae8b488920dc32f1e76ca11ec841e6871a012dd9fd146c9d7208d75f23703564e8269c0389f299ad2344e6bc11c5d66237adbf8365ae41

Download Submit
\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe

Filesize
520KB

MD5
35a8e3e8082b1a8694340df178d4ff13

SHA1
dead5f22a5092ec4849f965dc58881d8865ba81c

SHA256
75a9c05fd8beac44ab1742d21a364697ef4034d96cce8fd258b10a67f7d9f132

SHA512
45d72b9930383e6c2eb05aa2ce3228d64533636607e99271b30a90b03eaf773c7f2f16ecc850472ba2f87022aeacd774804bd6671d90d9c6eff6772843a7eea0

Download Submit
\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe

Filesize
520KB

MD5
b639ddd91cac315e49e23e99ec647e4f

SHA1
7c484c145d7d3f44f901bfa84690f6f4e747ddc6

SHA256
c0015d5d8b79037638d93ce172f27dee1ce8f21ec6af544e65bdc256b88389ed

SHA512
a780333b3a066658520c81e37a5188a2c501620d49174e880f8a707a6ba793ca114edcc5a09fc145584539c47c3bf07f2980f11eeae47a0ab39f88b7685852ae

Download Submit
\Users\Admin\AppData\Local\Temp\VNMUJIJFDJFVIQK\service.exe

Filesize
520KB

MD5
c8d223b9dea07df95e8277e417ad8f3d

SHA1
c7291716ddea7d028c3c23bdacc12d160824636d

SHA256
527805e844cd5a942a178ac462df31433809ec42ca083b5ff2205c3561e28de2

SHA512
ea62ddd6893a2fd27b1d40ea743d7a155a789f8d2b09d941b497dcd696f524a9cb02299acc0907f0e15cc112af919de39cdafdfd0fbcf0afd52318f5f21b6db7

Download Submit
\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe

Filesize
520KB

MD5
9b1ef9ed6803ef7706c9852f0cc1ea72

SHA1
08903a7a98129ebccb9887bc6068a5eeb206ec00

SHA256
0484dfcbccb1862a54890e6955db1d1f9cc6c4a6ce2d4c80431c10ce36e7837d

SHA512
a79b8d98c0f4e5b0fdbaaa70404470b449316cd1410668da81fc9bbc002b51de88589618805aa74dd871b6e09952c94e19e8f37eff4c9643a40e087ef0ebdb7a

Download Submit
memory/2064-738-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2064-743-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2064-746-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2064-747-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2064-748-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2064-750-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2064-751-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads