blackshades | a2e607f38bb88e931b2b05476d39410ebf15420872a09847d5afc5244292a99c

Analysis

max time kernel
148s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2e607f38bb88e931b2b05476d39410ebf15420872a09847d5afc5244292a99c.exe
Size

520KB
MD5

5ac90bdd964329f989cbc68652f1093f
SHA1

47120aa1a6ae5940b162624270f7d7cc65f1f89e
SHA256

a2e607f38bb88e931b2b05476d39410ebf15420872a09847d5afc5244292a99c
SHA512

3e62902fb8bfc1600e4be3d49e0d2514a9bfb6f05fd6c1bd2adeba4af5aebd255b8f8e0db45d5c161b0b2b39966f7765f3a8d66a13553d45000b1c95d4b9547f
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXH:zW6ncoyqOp6IsTl/mXH

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 9 IoCs

resource	yara_rule
behavioral1/memory/688-666-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/688-673-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/688-676-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/688-677-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/688-678-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/688-680-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/688-681-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/688-682-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/688-686-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\QSICYAHRHMEVMAK\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QSICYAHRHMEVMAK\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 26 IoCs

pid	Process
2284	service.exe
2768	service.exe
1616	service.exe
492	service.exe
2636	service.exe
2576	service.exe
1540	service.exe
1944	service.exe
3016	service.exe
2408	service.exe
2224	service.exe
972	service.exe
2132	service.exe
2908	service.exe
2184	service.exe
2400	service.exe
1608	service.exe
2228	service.exe
2888	service.exe
620	service.exe
1744	service.exe
2964	service.exe
680	service.exe
448	service.exe
1240	service.exe
688	service.exe

Loads dropped DLL 51 IoCs

pid	Process
2520	a2e607f38bb88e931b2b05476d39410ebf15420872a09847d5afc5244292a99c.exe
2520	a2e607f38bb88e931b2b05476d39410ebf15420872a09847d5afc5244292a99c.exe
2284	service.exe
2284	service.exe
2768	service.exe
2768	service.exe
1616	service.exe
1616	service.exe
492	service.exe
492	service.exe
2636	service.exe
2636	service.exe
2576	service.exe
2576	service.exe
1540	service.exe
1540	service.exe
1944	service.exe
1944	service.exe
3016	service.exe
3016	service.exe
2408	service.exe
2408	service.exe
2224	service.exe
2224	service.exe
972	service.exe
972	service.exe
2132	service.exe
2132	service.exe
2908	service.exe
2908	service.exe
2184	service.exe
2184	service.exe
2400	service.exe
2400	service.exe
1608	service.exe
1608	service.exe
2228	service.exe
2228	service.exe
2888	service.exe
2888	service.exe
620	service.exe
620	service.exe
1744	service.exe
1744	service.exe
2964	service.exe
2964	service.exe
680	service.exe
680	service.exe
448	service.exe
448	service.exe
1240	service.exe

Adds Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\INKKVSQUPXLNFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHGIDBIDYTHO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYMKJNAEAOUMCCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HJVVWRQWSIVDMDX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMQDHDBRXPGGIDA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCVTCVLBHPGFQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\RISOJSDTDSTQLRW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTKUNMOAEJXWI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\UMIDTMNWMNKTFLQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOXGCQVGHENFKBY\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEAAVQDLFKYHSPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTORVTWHMREBQYP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVUYLCPLJXOAOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVLEDKTJPGXODND\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWANDRNLQCQSNGJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLQIQEPFB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\COSPDPAXDVUQSEK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMLNIGNIYMT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\JXGGSYOMQLTHJBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIXHPDCEYEUPDKF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQCLCULIDTMNWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBXPVNEOHGIYVVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDGSTOMPESAJAUJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCULIDWMNKTFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGBCXSFMHMJURPT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTWVXJNSAGDRR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\UVJVGFJXYAKQXYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSRTOMTPESAI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\URFRCBFXWSTGMTT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SSCONOKIPKANVEP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDCFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIVDMDX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\URFRCBFXWSUGMTT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCONPKIPKAOVEP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCNKJNAEAOUMDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVAXSQXTIWEMD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\EGBCWRFMHLIUQOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUQTWVXJNSAFDRR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\NBEPRMKNCQXGSWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIARJFAUYKLIQCJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\JWDMWUEALFGWPST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPIOVGHAUBRNYOK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\JEDRHVQOTGTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQKCIPYBBOUMUIS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\BVTRWJNJGXVLLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QSICYAHRHMEVMAK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\BPFTOMRERTOHKMV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIASJGAUYKLIRDJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\LAVRMVHWBGVWUDO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NJXVMWPOQCGLYKS\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2e607f38bb88e931b2b05476d39410ebf15420872a09847d5afc5244292a99c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1820	reg.exe
1600	reg.exe
2248	reg.exe
2400	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	688	service.exe
Token: SeCreateTokenPrivilege	688	service.exe
Token: SeAssignPrimaryTokenPrivilege	688	service.exe
Token: SeLockMemoryPrivilege	688	service.exe
Token: SeIncreaseQuotaPrivilege	688	service.exe
Token: SeMachineAccountPrivilege	688	service.exe
Token: SeTcbPrivilege	688	service.exe
Token: SeSecurityPrivilege	688	service.exe
Token: SeTakeOwnershipPrivilege	688	service.exe
Token: SeLoadDriverPrivilege	688	service.exe
Token: SeSystemProfilePrivilege	688	service.exe
Token: SeSystemtimePrivilege	688	service.exe
Token: SeProfSingleProcessPrivilege	688	service.exe
Token: SeIncBasePriorityPrivilege	688	service.exe
Token: SeCreatePagefilePrivilege	688	service.exe
Token: SeCreatePermanentPrivilege	688	service.exe
Token: SeBackupPrivilege	688	service.exe
Token: SeRestorePrivilege	688	service.exe
Token: SeShutdownPrivilege	688	service.exe
Token: SeDebugPrivilege	688	service.exe
Token: SeAuditPrivilege	688	service.exe
Token: SeSystemEnvironmentPrivilege	688	service.exe
Token: SeChangeNotifyPrivilege	688	service.exe
Token: SeRemoteShutdownPrivilege	688	service.exe
Token: SeUndockPrivilege	688	service.exe
Token: SeSyncAgentPrivilege	688	service.exe
Token: SeEnableDelegationPrivilege	688	service.exe
Token: SeManageVolumePrivilege	688	service.exe
Token: SeImpersonatePrivilege	688	service.exe
Token: SeCreateGlobalPrivilege	688	service.exe
Token: 31	688	service.exe
Token: 32	688	service.exe
Token: 33	688	service.exe
Token: 34	688	service.exe
Token: 35	688	service.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
2520	a2e607f38bb88e931b2b05476d39410ebf15420872a09847d5afc5244292a99c.exe
2284	service.exe
2768	service.exe
1616	service.exe
492	service.exe
2636	service.exe
2576	service.exe
1540	service.exe
1944	service.exe
3016	service.exe
2408	service.exe
2224	service.exe
972	service.exe
2132	service.exe
2908	service.exe
2184	service.exe
2400	service.exe
1608	service.exe
2228	service.exe
2888	service.exe
620	service.exe
1744	service.exe
2964	service.exe
680	service.exe
448	service.exe
1240	service.exe
688	service.exe
688	service.exe
688	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 1732	2520	a2e607f38bb88e931b2b05476d39410ebf15420872a09847d5afc5244292a99c.exe	30
PID 2520 wrote to memory of 1732	2520	a2e607f38bb88e931b2b05476d39410ebf15420872a09847d5afc5244292a99c.exe	30
PID 2520 wrote to memory of 1732	2520	a2e607f38bb88e931b2b05476d39410ebf15420872a09847d5afc5244292a99c.exe	30
PID 2520 wrote to memory of 1732	2520	a2e607f38bb88e931b2b05476d39410ebf15420872a09847d5afc5244292a99c.exe	30
PID 1732 wrote to memory of 1612	1732	cmd.exe	32
PID 1732 wrote to memory of 1612	1732	cmd.exe	32
PID 1732 wrote to memory of 1612	1732	cmd.exe	32
PID 1732 wrote to memory of 1612	1732	cmd.exe	32
PID 2520 wrote to memory of 2284	2520	a2e607f38bb88e931b2b05476d39410ebf15420872a09847d5afc5244292a99c.exe	33
PID 2520 wrote to memory of 2284	2520	a2e607f38bb88e931b2b05476d39410ebf15420872a09847d5afc5244292a99c.exe	33
PID 2520 wrote to memory of 2284	2520	a2e607f38bb88e931b2b05476d39410ebf15420872a09847d5afc5244292a99c.exe	33
PID 2520 wrote to memory of 2284	2520	a2e607f38bb88e931b2b05476d39410ebf15420872a09847d5afc5244292a99c.exe	33
PID 2284 wrote to memory of 3024	2284	service.exe	34
PID 2284 wrote to memory of 3024	2284	service.exe	34
PID 2284 wrote to memory of 3024	2284	service.exe	34
PID 2284 wrote to memory of 3024	2284	service.exe	34
PID 3024 wrote to memory of 2952	3024	cmd.exe	36
PID 3024 wrote to memory of 2952	3024	cmd.exe	36
PID 3024 wrote to memory of 2952	3024	cmd.exe	36
PID 3024 wrote to memory of 2952	3024	cmd.exe	36
PID 2284 wrote to memory of 2768	2284	service.exe	37
PID 2284 wrote to memory of 2768	2284	service.exe	37
PID 2284 wrote to memory of 2768	2284	service.exe	37
PID 2284 wrote to memory of 2768	2284	service.exe	37
PID 2768 wrote to memory of 2224	2768	service.exe	38
PID 2768 wrote to memory of 2224	2768	service.exe	38
PID 2768 wrote to memory of 2224	2768	service.exe	38
PID 2768 wrote to memory of 2224	2768	service.exe	38
PID 2224 wrote to memory of 1936	2224	cmd.exe	40
PID 2224 wrote to memory of 1936	2224	cmd.exe	40
PID 2224 wrote to memory of 1936	2224	cmd.exe	40
PID 2224 wrote to memory of 1936	2224	cmd.exe	40
PID 2768 wrote to memory of 1616	2768	service.exe	41
PID 2768 wrote to memory of 1616	2768	service.exe	41
PID 2768 wrote to memory of 1616	2768	service.exe	41
PID 2768 wrote to memory of 1616	2768	service.exe	41
PID 1616 wrote to memory of 532	1616	service.exe	42
PID 1616 wrote to memory of 532	1616	service.exe	42
PID 1616 wrote to memory of 532	1616	service.exe	42
PID 1616 wrote to memory of 532	1616	service.exe	42
PID 532 wrote to memory of 2388	532	cmd.exe	44
PID 532 wrote to memory of 2388	532	cmd.exe	44
PID 532 wrote to memory of 2388	532	cmd.exe	44
PID 532 wrote to memory of 2388	532	cmd.exe	44
PID 1616 wrote to memory of 492	1616	service.exe	45
PID 1616 wrote to memory of 492	1616	service.exe	45
PID 1616 wrote to memory of 492	1616	service.exe	45
PID 1616 wrote to memory of 492	1616	service.exe	45
PID 492 wrote to memory of 2924	492	service.exe	46
PID 492 wrote to memory of 2924	492	service.exe	46
PID 492 wrote to memory of 2924	492	service.exe	46
PID 492 wrote to memory of 2924	492	service.exe	46
PID 2924 wrote to memory of 2772	2924	cmd.exe	48
PID 2924 wrote to memory of 2772	2924	cmd.exe	48
PID 2924 wrote to memory of 2772	2924	cmd.exe	48
PID 2924 wrote to memory of 2772	2924	cmd.exe	48
PID 492 wrote to memory of 2636	492	service.exe	49
PID 492 wrote to memory of 2636	492	service.exe	49
PID 492 wrote to memory of 2636	492	service.exe	49
PID 492 wrote to memory of 2636	492	service.exe	49
PID 2636 wrote to memory of 1988	2636	service.exe	50
PID 2636 wrote to memory of 1988	2636	service.exe	50
PID 2636 wrote to memory of 1988	2636	service.exe	50
PID 2636 wrote to memory of 1988	2636	service.exe	50

C:\Users\Admin\AppData\Local\Temp\a2e607f38bb88e931b2b05476d39410ebf15420872a09847d5afc5244292a99c.exe
"C:\Users\Admin\AppData\Local\Temp\a2e607f38bb88e931b2b05476d39410ebf15420872a09847d5afc5244292a99c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempREBQY.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BPFTOMRERTOHKMV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIASJGAUYKLIRDJ\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1612
- C:\Users\Admin\AppData\Local\Temp\AIASJGAUYKLIRDJ\service.exe
  "C:\Users\Admin\AppData\Local\Temp\AIASJGAUYKLIRDJ\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempCAEHY.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UMIDTMNWMNKTFLQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:2952
- - C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe
    "C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEAAVQDLFKYHSPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe
      "C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWHFKX.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:532
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDGSTOMPESAJAUJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCULIDWMNKTFLQ\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2388
    - - C:\Users\Admin\AppData\Local\Temp\CKCULIDWMNKTFLQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CKCULIDWMNKTFLQ\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:492
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOVKKL.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGBCXSFMHMJURPT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2772
      - C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBDRML.bat" "
        7⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UVJVGFJXYAKQXYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEHISN.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YVUYLCPLJXOAOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVLEDKTJPGXODND\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\SVLEDKTJPGXODND\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVLEDKTJPGXODND\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVLJNI.bat" "
        9⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAVRMVHWBGVWUDO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVRQFO.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INKKVSQUPXLNFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYMKJNAEAOUMCCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAHUCQ.bat" "
        12⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNKJNAEAOUMDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKTPCA.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLQCQSNGJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNVKKK.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EGBCWRFMHLIUQOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEYXMV.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "URFRCBFXWSTGMTT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKANVEP\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKANVEP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKANVEP\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTEDHY.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NBEPRMKNCQXGSWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJXFTS.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMQDHDBRXPGGIDA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBHPGFQ\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBHPGFQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBHPGFQ\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRRCWV.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "COSPDPAXDVUQSEK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIRNVM.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXGGSYOMQLTHJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKF\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKF\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDCFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIGKFM.bat" "
        21⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSDTDSTQLRW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYFGDL.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWUEALFGWPST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEYXMV.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "URFRCBFXWSUGMTT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEP\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEP\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKTFLQ.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCLCULIDTMNWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIYVVD\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIYVVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIYVVD\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMNXTA.bat" "
        25⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JEDRHVQOTGTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQKCIPYBBOUMUIS\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\XQKCIPYBBOUMUIS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQKCIPYBBOUMUIS\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBFGPL.bat" "
        26⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVTRWJNJGXVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QSICYAHRHMEVMAK\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\QSICYAHRHMEVMAK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QSICYAHRHMEVMAK\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\QSICYAHRHMEVMAK\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\QSICYAHRHMEVMAK\service.exe
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        29⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\QSICYAHRHMEVMAK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QSICYAHRHMEVMAK\service.exe:*:Enabled:Windows Messanger" /f
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\QSICYAHRHMEVMAK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QSICYAHRHMEVMAK\service.exe:*:Enabled:Windows Messanger" /f
        29⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        29⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        29⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAHUCQ.bat

Filesize
163B

MD5
e9ea081c5a41b847f5f8222a51e7da8a

SHA1
3b129936a5a39f7565d3313c5cf901807bac8cc9

SHA256
83515ba7a54b2fb22dd4585258b0f0bbcf368c4db790c760e686993ac7d0171d

SHA512
ed3791219f776ce47c40ba9dc6d27a7fb7c3b4340bfb49e806aedaa42d35e65dff753f8d35e7124efb0fca5cb3a8de44978f2d34cfc1bf581acbd373202398d0

Download Submit
C:\Users\Admin\AppData\Local\TempBDRML.bat

Filesize
163B

MD5
f19c9871822702c8035b91f5cbf269c2

SHA1
0a4c142be5914ab8a941b30097acc3e68e143050

SHA256
c43acc594ff5081e1d256f0e568e7e0c9548c674285dac238b68d01f1bc73983

SHA512
33d3908ea32330dcaf7a387c24066d8e89f32b37447bdd37ff259123bf390114bed06b9178cb720870efa81f97256922fb11bb6b9b18cf83f1a99b71c781e5aa

Download Submit
C:\Users\Admin\AppData\Local\TempBFGPL.bat

Filesize
163B

MD5
44d686f6f2417d38f57ab7496efa783c

SHA1
4d10789b00680936345ae6c9874f687a77b2de4f

SHA256
3f821cdaec4d5eb9444f4dabdb0ec6730a872cfd82d3cee0ec37a45a5abfaa9a

SHA512
b08725adfb0361d41016b7fbafd860fef7852c99b80bf0879381c51e49cecc79ed253ff8e40c153047b39f093fb76ce1a4a789f9248dc8ed36413e8fd1d6e1b2

Download Submit
C:\Users\Admin\AppData\Local\TempCAEHY.bat

Filesize
163B

MD5
d74ea3995167c8dccb4cafdc3d2323be

SHA1
4c58658895d2977ec24b122fd22ec6c7e8f5b4d1

SHA256
89022699e26dde4efab5cf5af0249875951965de3ce3aee2e84ec23c14578556

SHA512
16b07abb880cd182a571e32afbcc845f5f2eaf710ab66580efe9907b687a56adf4097553ccbe053e5eac5f594db4d6dd950b70be931d066abc88e940cc34054d

Download Submit
C:\Users\Admin\AppData\Local\TempEHISN.bat

Filesize
163B

MD5
302d90a43a0fd7982404fd0a0fd99e5a

SHA1
6c22c3017dabeac519d4da517ba129981535c514

SHA256
49c93337435909f01c054e972aeb238b467f79fde188716e67f7a746e916c5da

SHA512
af1e97b69455307e4f89ad8b8899121d1a38718c26aa42b116237d4bc72c2a031343ad8bc912ac147bc4d87bdbe020cd0835d2d3a73aa730059c82f7c5c8730f

Download Submit
C:\Users\Admin\AppData\Local\TempEYXMV.bat

Filesize
163B

MD5
08853a35be8e45c3640c3f672e80fe9c

SHA1
00902980912ea37b95b6e99bd7e88d5759dfe96a

SHA256
917e075095fbbcc1b098646c4bc5e216fe0dfd4066b071f0306040d619c5cb9f

SHA512
6233dcc47cad3065a4329603cedde5086decff797d8ee270fcf527202f4aeb89e6aed8417a0e0f6c14668125744b4524247e98fa6b6632182f563c9c41390d55

Download Submit
C:\Users\Admin\AppData\Local\TempEYXMV.bat

Filesize
163B

MD5
e973739086006a2636e59716ee178686

SHA1
9044c6f5c5e89e4155d6375f56fb27007320adee

SHA256
203196b85cf7fe65bc4ae301766dab615bb2f0e187190599d0333d50ebc61d4d

SHA512
8aa94324a7969a978eb4b2a75c023065f283eacb382593ba92d10ce508e667f5dc3590e05da6b682db902d11134b4cbc5f0664d9dde17f443c224d9833d68ff4

Download Submit
C:\Users\Admin\AppData\Local\TempGUCQP.bat

Filesize
163B

MD5
1e51e351fab57d71b04af043d441bbcb

SHA1
0c1d699c40b385b2ff4cc2859b38d4b4b5528bbd

SHA256
6c4371b7e140b36b1a8c20e8d94d46feed1ecf5eb374a235dd982943df02780e

SHA512
154a3c315eefa53e30c0278e0fed75bfd4bd287bc87f88a6bb124caa3e54d9746407f61317dc7ae213f44b7e4e75024183321a3c8009c65b6a8dc24b7427d24e

Download Submit
C:\Users\Admin\AppData\Local\TempGUCQP.bat

Filesize
163B

MD5
a05bc5c948181b8882b7b95448172f1e

SHA1
9dcd6a7078ad15bd61db8a84bbf43688fb27742b

SHA256
42691c7bac5d448be2e134d9011b898323a2329d4bae67b70058574e0563b226

SHA512
24d9d2f4ad6f7b0c5707928055102c4219220aa55df2cd05340728fdb09121e74ea9a5a3ad10c9deb1cbf1d134f2a6f73bf904111318d0ca1aec583d3680880a

Download Submit
C:\Users\Admin\AppData\Local\TempIGKFM.bat

Filesize
163B

MD5
259fcf2d77cd48c375b929493d9e95d0

SHA1
ae081b27b04fa7248d5a76d5a71b4cf3abb748cf

SHA256
03d5d4132156b47723a4dbb1e4c4972cddb4849d49c11bd99b16b9b0741b3253

SHA512
daa5860fd72a954f303015944d10875b968a5e40d2631e7c110696447747ceac4e47d29f3c523ae1d576c48dfbc14a1ab2f5b0f18ef4ae8686b6a53fef50dcfa

Download Submit
C:\Users\Admin\AppData\Local\TempIRNVM.bat

Filesize
163B

MD5
fbf8beaf48fdc011e243d8595f2140f4

SHA1
92bc32a451b9666446a343abf3389a9653dee951

SHA256
cb6b58412c832a730e896acd16f40bc0679312df5c467bfdf5e10c66495aea49

SHA512
286d70c6b86c59d8fbf3e56bce71c36c7db06b77168b5842499065573c65f684c18f895301cf0d0210dbe801369df91c636d6e2cf31fc89e1c4c35f8d8642bb7

Download Submit
C:\Users\Admin\AppData\Local\TempJXFTS.bat

Filesize
163B

MD5
14bc128c2822df50a76a7d2bfc5a3b62

SHA1
3921b0142ff18f4f7dc109e8231fa637e5e0f99b

SHA256
7e2d6ff47243ac2a9a573824a90ed9e33f1cf74a6cfc5073a2dea040016cd7dd

SHA512
97f26e1ba5a955d4464385da622070436c261ab97436a82000261ebd2bf9bf4f8d9d4cad1d76a54da3be487e6c0e4e86b8ccade9c93e1782189bd7703a8775d0

Download Submit
C:\Users\Admin\AppData\Local\TempKTFLQ.bat

Filesize
163B

MD5
97c2a8d55d60ee9d20c69764481158fe

SHA1
030f03311a39247e79e2f8c346f5153a091c78d4

SHA256
94dce3f5632191b40fd1890c8297fb4fedd58cd38ba005527bffc3b040791c4e

SHA512
66a39aff444eeb201b3ef88af56d9d363554e8ebfc2e855ec34e6eea864578d990f89e81c14a620436acab5d8772a3ac5d61108acabf46fe1e8903eec95dba1b

Download Submit
C:\Users\Admin\AppData\Local\TempKTPCA.bat

Filesize
163B

MD5
ea5304ac3a2512a4acb5e8c6da74b136

SHA1
37abaa1057f056eb94195e9a8eb31edc92558acf

SHA256
11b00ceb1b53c035f3c611aaebc1466e4fa4cb53480d73afc468355e42242813

SHA512
95a1fb0283cf7d8817432549a2cf4cffae21ff86806a56ced8df54e1c7293d0ac583afb0d138c2f79c5947abd9775264160b6ade12827ee310cb679f4065a3bd

Download Submit
C:\Users\Admin\AppData\Local\TempMNXTA.bat

Filesize
163B

MD5
2d04617476f92aa616aa6cbfa3b96c16

SHA1
5cfa2e11ba709e624f39c0b4b888fc2309281fce

SHA256
1d5c078f5e595aa5ef14e905c18fd1bab80b9ae80b213fc8b27e6c829535b028

SHA512
17a5d63d101f98ad2dfef83d77a2d12e51752c265a2d481aa6133b5dbac4ded64b0deeb8e40dcf8d818e920ce92152a992f067ca8b28e532c6b2aa4f2e7ce9d5

Download Submit
C:\Users\Admin\AppData\Local\TempNVKKK.bat

Filesize
163B

MD5
e705e77f85929c89e7f2f70cb492ca04

SHA1
bc7d9e2726090321b024d4e68a8272b7380047d1

SHA256
86bf2f8fc218239d19e91255ddbf3c34cd5cb01b09150a3f0946d633e8d50a73

SHA512
8fc2526238e3044ad2c744b12010bcd08860ea40635f9fb8b0b57e522c9ec37660d9049646c53d7ee8e7cb9106554e91b23b2963a7afdbce00a25264a12e7f9c

Download Submit
C:\Users\Admin\AppData\Local\TempOVKKL.bat

Filesize
163B

MD5
0865b2bd8219fff90fb9ce4a79aa14f2

SHA1
271f069d2306f362836d9abf5ecf4b3d5536e848

SHA256
830b092e49c24e6ff8e6a5bdf0000e4b6746c3375920f40593076710a25200dc

SHA512
348adb46814b1e864f6d5cdb6aac52cee32b0c1004f8a43508b8a42fd4fe66f7e299f91a09ee187c78f0f0ffb8093e6ba25f7d8b360489195aef56bda82f4e6c

Download Submit
C:\Users\Admin\AppData\Local\TempREBQY.bat

Filesize
163B

MD5
673832f5700b8194155d22b0472b726c

SHA1
f8d47c1162396a689ab28fb39cc0d97d6524ab13

SHA256
4ed65e5397ed70d20c5a33d66774d9754ae4aa026c8eaabd5e6bf75ed27be37d

SHA512
bf93239c22f1e5ef36eb458cb3e84929f9eeebfe726e16f833fce3d78db22037685894c9872c4726f7251e5811d071cd66d6bcfe56e031fefd9af89b231210a6

Download Submit
C:\Users\Admin\AppData\Local\TempRMUIJ.bat

Filesize
163B

MD5
a4963aba3ce95dbdbc2a8b355d15db70

SHA1
6381c3fddf31277e3a643371d13707bcc036b5c0

SHA256
14acce0c2ba59b3163b863693b8832963e8ae5896d90f754a4c71215cbab6683

SHA512
6a9826e06a2574fbd4e2fb230605e8bce06012cf2bdbc8ec2f2dc7c7a31173588a916d853d35266c124748b9ac7f0044893fd9d6635cf05153b68171d6cc3795

Download Submit
C:\Users\Admin\AppData\Local\TempRRCWV.bat

Filesize
163B

MD5
2055c28d67c603566c573f006d91d18d

SHA1
e5fc25e8fc106538c80f41f6be384afc1db3d4f0

SHA256
e1946eeb933aee503dd39a2fe33a8f8b7372512e51e828780974466d6e4eaf68

SHA512
731035f0c9662feb5430e366793da63a8fd518c59a63d3c86984ed138870649cad2775944827636ef66bcc5b7faf7e6a1d0692f9d579c7c41c3d925fd58780bb

Download Submit
C:\Users\Admin\AppData\Local\TempTEDHY.bat

Filesize
163B

MD5
7f0b527f7baf38b696050eda03a7dbd0

SHA1
09550435888ff4507d342f553820e71bc5cfbd9f

SHA256
33222eb27238da3553e43f9ede57fbd5a6a2e5b482522adbf820a7a35877f66d

SHA512
a26143eb0054adbe029547d6b6db46c00cdc9376c39217a2090fbce798a86d24021940db491031fb92b845512bef54c059657dcd5971a44b6a3c41d2ce14fabb

Download Submit
C:\Users\Admin\AppData\Local\TempVLJNI.bat

Filesize
163B

MD5
870d241d78c9b4771b92865e3b45e495

SHA1
eb3f4a583380a0e28fc26ce9b0408b8617be9c2b

SHA256
a41b5059999a3d9b9f217312b29ba50ba90faa3b50dfc2b6ee6b3180b27c5c48

SHA512
b5e89ca24209095a889a834f64aee36a4d3a52eabaa071403b876c31e21fe429bd1680e854dde44d84a74fdbd7175d99484cab89013cb9b87cc267ead726cafb

Download Submit
C:\Users\Admin\AppData\Local\TempVRQFO.bat

Filesize
163B

MD5
5a2ae5a03652e9babf10380a05acfe57

SHA1
c8c931e5bf56e0fc6e7d1b1c7a85db29d48aeebf

SHA256
46dfeb0ecfa51a28207a208d888bb7e4dfce44e59bfdfb2c3e128b8f88fdfe5f

SHA512
1f3a602938af36277ff64cd4c3cd7e27514ff2b7ca4611d8a7346bc86dcf1a4af8780d05ee5c1f404a537891301968210a9aa3d6dd27f9d87b3a044ac4c25f34

Download Submit
C:\Users\Admin\AppData\Local\TempWHFKX.bat

Filesize
163B

MD5
ba5f9b1988e932bc9725380bb429969f

SHA1
60f8bfa16f254a72a26689e7fe13913835968073

SHA256
7f2e5f8d2bf4846e862c605804ae53b8332bda9d1a6d16d0a625c9199aa3542f

SHA512
549192fea8b82c9b36c4b4c0a63ba084d979614d831e93ae0d649d914c25de615d483314f96ba87df612d290ab23fda51fc84f75064cfdf97a60980c88ab5d37

Download Submit
C:\Users\Admin\AppData\Local\TempYFGDL.bat

Filesize
163B

MD5
ae2b80ec322acc6a3a92946b6017b9b2

SHA1
df6d13bde6c449353f44fef2a2ee64117504e7b8

SHA256
40baf497022d6b4a4b5aab79809cfe0e6cc012491fabd0beff85cf55ee2495cf

SHA512
ea3175e8f20c417250ebc64d9ba7ff6f9092ea1cfcc598a93f2a58de8329d98c649d47bf2a8b4a85a834d9fe222e56f993b245cd9a89cac10a8cad028b9200f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIASJGAUYKLIRDJ\service.exe

Filesize
520KB

MD5
3f7be4036bf780c755401f062581bc52

SHA1
e40b4c4c0af88e596b6aed6404e9d5ec15350e6b

SHA256
618adf0dd55e54a97c636850832c4b261f81289b87b9bb51f2bf4c06a7f51836

SHA512
00741df6c07c3d16fffac93fecdb7556a6a89b690439360fed57704719a602a0d36feafcf7df92dda9d7a19bf884d4fb95ca7f015b79b4d0e8727ffe1b1bc5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe

Filesize
520KB

MD5
696aea00858a19a7eedbc610839f54a5

SHA1
a8099459d918a5f2082d7d845a98a181e8a3387c

SHA256
f95918f7955d386a0b06a03f6cf783a167d8c4d388b7022f52322efa03d66726

SHA512
d6e704413a42c5a70246985493b9d70ee0d3772f591a5abfc78e70717e605a68fe327020fef142f4484d8e4b920c1f1e8e567ba2bb973ace724b37796ef25fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe

Filesize
520KB

MD5
475b8ab56871d1fb11fef99515874740

SHA1
d91ed9c0cb929579358a5b01883d7d8f49e4c8a2

SHA256
3662ed232fd106edd00d70355cfaa5718a1d35993866bf4375cb0d2e7c14849f

SHA512
fff38c633b93734265bea0c509ddcdc6aea6baa60ad2a896feea503c56a496615b03de737f0a79b01b8aebed1e7c7103394b995a73058cfc6942356ccf704331

Download Submit
C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe

Filesize
520KB

MD5
89d6f3a77b1ce2050047da756250500d

SHA1
0d05ced63330758b54e2b03aff561e116ffb3ed4

SHA256
c4134b0d62f4b7a6565c034e661718ce35d57ae84838a906497a7d5226581b24

SHA512
14085f23c13e7f5898f360c7aaf8fe00e5742e04eecb8ef43e65d4a6f0fc0ce9e67c7b55197024d392f1554217914555a0d1541fad3505cd5540b89b7fbb51e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVLEDKTJPGXODND\service.exe

Filesize
520KB

MD5
022387dd096ca7248e69b25f0ec41c22

SHA1
fe8c3291d7fd4e37f8eb696fc7538740a2b2c51f

SHA256
1a2014d5db5867b2250f4549936969fede3edb1f807326e3b9d1f66ebcb2148c

SHA512
ccb56e234b8f79bde68d2e45845de0126dbe0840e6dfe8bd31a4b43c916029409c9864a765cf0cf61badc6737ebc1bae7ecb93326a1b6d516437f7d8bb5c010a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe

Filesize
520KB

MD5
d2e14b2218866e0e078f50a9977ca3ea

SHA1
6dbd4cdc55829bb7203ba74639b841eb9702d46f

SHA256
cf2df58324082127341bcf7ba3b5562c63970193eed9e39c088255db628e9549

SHA512
831fa167355db79ff001c91fbe574838892daf88e1982dd58ff15c0c948472cd5f75b706357987f9fefcd268b9cb24907a1feb7210627b645a27232cf99b87e0

Download Submit
\Users\Admin\AppData\Local\Temp\CKCULIDWMNKTFLQ\service.exe

Filesize
520KB

MD5
7699122ece37fa8c24872c73c9de88a3

SHA1
72bd54e474810e0cd124419b6ea9529e09278c1f

SHA256
62948e5daa29571cf6ca41cc449e92cf51ec2c0777515a43ce8a9c9ed9ef60a5

SHA512
f1749f5149c1eb7b779b0dbd6e82057c18608473561a3c1f7b38601271f09fc214175e68486b506fe500a84e613c422b393f7ee4e6f7736c476a5b60551f328c

Download Submit
\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe

Filesize
520KB

MD5
9e3d95a28c12375f47310c51722803be

SHA1
33aa7a4eb4c38a4852dd4b76e23df9400a9a49b7

SHA256
c55d2d682ecb757be782e2022fa77189a3ef55f8d4ea770f061659f7fb2e9f98

SHA512
99bfbf22aeac5619d9ad8e70780f5dc44486a48dac9f326460919adbdf466d8fdd76751e82d5c8f0c9bb6d4045fb8a6382507bcddec3cde6e0b73d8287840565

Download Submit
\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe

Filesize
520KB

MD5
8eba62efc6c9d855552e5caef1a62d9d

SHA1
f9ec4d26011401e7c91fe287897fdf4541ff5993

SHA256
3bf92326792c631265eb7ea1ea5954ba5e2dd91f499e77ac0063e245dde8f73f

SHA512
3ffd98725af8ac9731e1d73069c39c3b0777043ff2ac44ff8b1bf781ea49d33bf776ba558d82b607bc2f803396e9a9b14755c821b247d107a34cea6ed43a07d0

Download Submit
\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe

Filesize
520KB

MD5
e77e4d564bece9263520e988706b5027

SHA1
2adc13364e1f3ea3966cf2ea4815049b8cfcfc2f

SHA256
91bff8979708c93ee621cb22ee1e79b5a95d0cfd481e0c63bd7f6dc95a1c1a1a

SHA512
3b497412cff5d5b516bf1f378bde72eaf5b64b9e6560425da0b1510f79b2b564a9e7a60966bee33f538baa24ea71c960a979335be5f01474365130d71e2761ae

Download Submit
\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe

Filesize
520KB

MD5
1b2ce880a8c95a6bd30f40f2795daec0

SHA1
e69bc7536253eed2599f4abfc20a395b3363901e

SHA256
dd90177554021560b6e2f2188624655526ce4343c911edfbb17625b80b0a838b

SHA512
264fa15964a7dabb09ecc8e2173646646acc7842ba9f3362623cdfe79f756c0a1a22ef10af1b70d000b5c3e169d4609e6de1fd11ab025283aa2cb33c6a731347

Download Submit
\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe

Filesize
520KB

MD5
eef095baf85cba5db0e26d4235372711

SHA1
3ac6ac93dbdeb1d6e100f9120e81a46d412c81c5

SHA256
9d9ec287cbc2a9f8f884ad823c668b404c43b18417f8510c3e699e76c5c90aa5

SHA512
3550b8de92696f618750e5dd11f1ce38df08da9a68f08546c7e8ac667459c72677aff9de2c2bd152aa2c216d0569e09ddb21728e76792746e7798fe2463d1eb0

Download Submit
\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe

Filesize
520KB

MD5
ec56e7f96a1cef94e37ca7060e258bcc

SHA1
32a6f209be1ee11f95d982fee63b3b9af5fe48a6

SHA256
bde8c308a423b60d906546013514048c5994524bdcb99a7fdbb1a375fa699ec6

SHA512
9f3372909879eb89e63831da65eca82db649cd6867910bb22bd56831c1475eda4e125fee3907d7943508c429a27a9c1083122c73c5249dad301338dfd0b180ce

Download Submit
memory/688-666-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/688-673-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/688-676-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/688-677-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/688-678-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/688-680-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/688-681-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/688-682-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/688-686-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads