blackshades | 12261678df28ee521626955de79a3d994ca2186388de292aa946fcd822c0e74f

Analysis

max time kernel
147s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12261678df28ee521626955de79a3d994ca2186388de292aa946fcd822c0e74f.exe
Size

520KB
MD5

a70f8aadca8b8bef6581a9323418d64c
SHA1

6ecd1c6134448ee01d6520ec0fb81f05f63da16e
SHA256

12261678df28ee521626955de79a3d994ca2186388de292aa946fcd822c0e74f
SHA512

642885167b297ee4f07c1c75282a0e4c39f58b4308dfe52db6cc990ff7052af9a25befd2704b76f7b840bec1ab88fea015bbf222509ba073eccf05cd3631aff1
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXL:zW6ncoyqOp6IsTl/mXL

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 11 IoCs

resource	yara_rule
behavioral1/memory/2164-323-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2164-328-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2164-329-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2164-331-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2164-332-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2164-333-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2164-335-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2164-336-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2164-341-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2164-342-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2164-344-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOEPIGJVWES\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 12 IoCs

pid	Process
2968	service.exe
2184	service.exe
1536	service.exe
2856	service.exe
2604	service.exe
916	service.exe
1528	service.exe
992	service.exe
2556	service.exe
2748	service.exe
2592	service.exe
2164	service.exe

Loads dropped DLL 23 IoCs

pid	Process
3056	12261678df28ee521626955de79a3d994ca2186388de292aa946fcd822c0e74f.exe
3056	12261678df28ee521626955de79a3d994ca2186388de292aa946fcd822c0e74f.exe
2968	service.exe
2968	service.exe
2184	service.exe
2184	service.exe
1536	service.exe
1536	service.exe
2856	service.exe
2856	service.exe
2604	service.exe
2604	service.exe
916	service.exe
916	service.exe
1528	service.exe
1528	service.exe
992	service.exe
992	service.exe
2556	service.exe
2556	service.exe
2748	service.exe
2748	service.exe
2592	service.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ECGBIUVQORGUCLC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENEWOKFYOPMVHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVUYLCPLJXOAOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVLEDKTJPGXODND\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFRSNLODRYHTYI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJBSKGBVLMJSEKP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\OJHJNUDPTEQBAYE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCQVHIFNGKBM\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLDUMIDTMNXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOEPIGJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\APQOWIOTFDHCKVW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASLQXJJDXBEUQR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUBKXTRCWJCWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNFLSDERXOWLVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOKICXSFMHMIURO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRWHIFOAGLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\NVJUKGFSIWSQAVH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPEDEAFAVQDL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPTGKGEUSJIKFCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEJBSJIS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOJHKNUDPUEQBAE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCRVHIFNAGLB\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12261678df28ee521626955de79a3d994ca2186388de292aa946fcd822c0e74f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2400	reg.exe
2692	reg.exe
2808	reg.exe
1964	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2164	service.exe
Token: SeCreateTokenPrivilege	2164	service.exe
Token: SeAssignPrimaryTokenPrivilege	2164	service.exe
Token: SeLockMemoryPrivilege	2164	service.exe
Token: SeIncreaseQuotaPrivilege	2164	service.exe
Token: SeMachineAccountPrivilege	2164	service.exe
Token: SeTcbPrivilege	2164	service.exe
Token: SeSecurityPrivilege	2164	service.exe
Token: SeTakeOwnershipPrivilege	2164	service.exe
Token: SeLoadDriverPrivilege	2164	service.exe
Token: SeSystemProfilePrivilege	2164	service.exe
Token: SeSystemtimePrivilege	2164	service.exe
Token: SeProfSingleProcessPrivilege	2164	service.exe
Token: SeIncBasePriorityPrivilege	2164	service.exe
Token: SeCreatePagefilePrivilege	2164	service.exe
Token: SeCreatePermanentPrivilege	2164	service.exe
Token: SeBackupPrivilege	2164	service.exe
Token: SeRestorePrivilege	2164	service.exe
Token: SeShutdownPrivilege	2164	service.exe
Token: SeDebugPrivilege	2164	service.exe
Token: SeAuditPrivilege	2164	service.exe
Token: SeSystemEnvironmentPrivilege	2164	service.exe
Token: SeChangeNotifyPrivilege	2164	service.exe
Token: SeRemoteShutdownPrivilege	2164	service.exe
Token: SeUndockPrivilege	2164	service.exe
Token: SeSyncAgentPrivilege	2164	service.exe
Token: SeEnableDelegationPrivilege	2164	service.exe
Token: SeManageVolumePrivilege	2164	service.exe
Token: SeImpersonatePrivilege	2164	service.exe
Token: SeCreateGlobalPrivilege	2164	service.exe
Token: 31	2164	service.exe
Token: 32	2164	service.exe
Token: 33	2164	service.exe
Token: 34	2164	service.exe
Token: 35	2164	service.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3056	12261678df28ee521626955de79a3d994ca2186388de292aa946fcd822c0e74f.exe
2968	service.exe
2184	service.exe
1536	service.exe
2856	service.exe
2604	service.exe
916	service.exe
1528	service.exe
992	service.exe
2556	service.exe
2748	service.exe
2592	service.exe
2164	service.exe
2164	service.exe
2164	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2116	3056	12261678df28ee521626955de79a3d994ca2186388de292aa946fcd822c0e74f.exe	30
PID 3056 wrote to memory of 2116	3056	12261678df28ee521626955de79a3d994ca2186388de292aa946fcd822c0e74f.exe	30
PID 3056 wrote to memory of 2116	3056	12261678df28ee521626955de79a3d994ca2186388de292aa946fcd822c0e74f.exe	30
PID 3056 wrote to memory of 2116	3056	12261678df28ee521626955de79a3d994ca2186388de292aa946fcd822c0e74f.exe	30
PID 2116 wrote to memory of 544	2116	cmd.exe	32
PID 2116 wrote to memory of 544	2116	cmd.exe	32
PID 2116 wrote to memory of 544	2116	cmd.exe	32
PID 2116 wrote to memory of 544	2116	cmd.exe	32
PID 3056 wrote to memory of 2968	3056	12261678df28ee521626955de79a3d994ca2186388de292aa946fcd822c0e74f.exe	33
PID 3056 wrote to memory of 2968	3056	12261678df28ee521626955de79a3d994ca2186388de292aa946fcd822c0e74f.exe	33
PID 3056 wrote to memory of 2968	3056	12261678df28ee521626955de79a3d994ca2186388de292aa946fcd822c0e74f.exe	33
PID 3056 wrote to memory of 2968	3056	12261678df28ee521626955de79a3d994ca2186388de292aa946fcd822c0e74f.exe	33
PID 2968 wrote to memory of 2640	2968	service.exe	34
PID 2968 wrote to memory of 2640	2968	service.exe	34
PID 2968 wrote to memory of 2640	2968	service.exe	34
PID 2968 wrote to memory of 2640	2968	service.exe	34
PID 2640 wrote to memory of 2828	2640	cmd.exe	36
PID 2640 wrote to memory of 2828	2640	cmd.exe	36
PID 2640 wrote to memory of 2828	2640	cmd.exe	36
PID 2640 wrote to memory of 2828	2640	cmd.exe	36
PID 2968 wrote to memory of 2184	2968	service.exe	37
PID 2968 wrote to memory of 2184	2968	service.exe	37
PID 2968 wrote to memory of 2184	2968	service.exe	37
PID 2968 wrote to memory of 2184	2968	service.exe	37
PID 2184 wrote to memory of 2752	2184	service.exe	38
PID 2184 wrote to memory of 2752	2184	service.exe	38
PID 2184 wrote to memory of 2752	2184	service.exe	38
PID 2184 wrote to memory of 2752	2184	service.exe	38
PID 2752 wrote to memory of 2940	2752	cmd.exe	40
PID 2752 wrote to memory of 2940	2752	cmd.exe	40
PID 2752 wrote to memory of 2940	2752	cmd.exe	40
PID 2752 wrote to memory of 2940	2752	cmd.exe	40
PID 2184 wrote to memory of 1536	2184	service.exe	41
PID 2184 wrote to memory of 1536	2184	service.exe	41
PID 2184 wrote to memory of 1536	2184	service.exe	41
PID 2184 wrote to memory of 1536	2184	service.exe	41
PID 1536 wrote to memory of 1984	1536	service.exe	42
PID 1536 wrote to memory of 1984	1536	service.exe	42
PID 1536 wrote to memory of 1984	1536	service.exe	42
PID 1536 wrote to memory of 1984	1536	service.exe	42
PID 1984 wrote to memory of 1932	1984	cmd.exe	44
PID 1984 wrote to memory of 1932	1984	cmd.exe	44
PID 1984 wrote to memory of 1932	1984	cmd.exe	44
PID 1984 wrote to memory of 1932	1984	cmd.exe	44
PID 1536 wrote to memory of 2856	1536	service.exe	45
PID 1536 wrote to memory of 2856	1536	service.exe	45
PID 1536 wrote to memory of 2856	1536	service.exe	45
PID 1536 wrote to memory of 2856	1536	service.exe	45
PID 2856 wrote to memory of 2028	2856	service.exe	46
PID 2856 wrote to memory of 2028	2856	service.exe	46
PID 2856 wrote to memory of 2028	2856	service.exe	46
PID 2856 wrote to memory of 2028	2856	service.exe	46
PID 2028 wrote to memory of 1040	2028	cmd.exe	48
PID 2028 wrote to memory of 1040	2028	cmd.exe	48
PID 2028 wrote to memory of 1040	2028	cmd.exe	48
PID 2028 wrote to memory of 1040	2028	cmd.exe	48
PID 2856 wrote to memory of 2604	2856	service.exe	49
PID 2856 wrote to memory of 2604	2856	service.exe	49
PID 2856 wrote to memory of 2604	2856	service.exe	49
PID 2856 wrote to memory of 2604	2856	service.exe	49
PID 2604 wrote to memory of 344	2604	service.exe	50
PID 2604 wrote to memory of 344	2604	service.exe	50
PID 2604 wrote to memory of 344	2604	service.exe	50
PID 2604 wrote to memory of 344	2604	service.exe	50

C:\Users\Admin\AppData\Local\Temp\12261678df28ee521626955de79a3d994ca2186388de292aa946fcd822c0e74f.exe
"C:\Users\Admin\AppData\Local\Temp\12261678df28ee521626955de79a3d994ca2186388de292aa946fcd822c0e74f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempWALYJ.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ECGBIUVQORGUCLC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:544
- C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe
  "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempSQSIV.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "APQOWIOTFDHCKVW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2828
- - C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe
    "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempMPQVC.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GUBKXTRCWJCWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNFLSDERXOWLVLH\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\TNFLSDERXOWLVLH\service.exe
      "C:\Users\Admin\AppData\Local\Temp\TNFLSDERXOWLVLH\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSNVKK.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOKICXSFMHMIURO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1932
    - - C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEHISN.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YVUYLCPLJXOAOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVLEDKTJPGXODND\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1040
      - C:\Users\Admin\AppData\Local\Temp\SVLEDKTJPGXODND\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVLEDKTJPGXODND\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBVXCS.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NVJUKGFSIWSQAVH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJIKFCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUGEIW.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFRSNLODRYHTYI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJSEKP\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJSEKP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJSEKP\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OJHJNUDPTEQBAYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWVSST.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJHKNUDPUEQBAE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTFMQC.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDUMIDTMNXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        15⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe:*:Enabled:Windows Messanger" /f
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe:*:Enabled:Windows Messanger" /f
        15⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        15⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        15⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempBVXCS.bat

Filesize
163B

MD5
f03b5fc71144c3fa6279403dac621243

SHA1
ea017d278c6b210d648b65291e4eaca5bb35248d

SHA256
dfd6f9b52f016a52b72dc3c32f87e92fda8aace08ca294c8820afc107f40ca06

SHA512
8ae7314ddf569fcd3fa0d607270e94d7ba20197e8a3de42ad2944a78507df35edaf61cca540e9cc53452c98e07d03f58cdbd9e1eb0daddc245eb7a1a6ac21783

Download Submit
C:\Users\Admin\AppData\Local\TempEHISN.bat

Filesize
163B

MD5
302d90a43a0fd7982404fd0a0fd99e5a

SHA1
6c22c3017dabeac519d4da517ba129981535c514

SHA256
49c93337435909f01c054e972aeb238b467f79fde188716e67f7a746e916c5da

SHA512
af1e97b69455307e4f89ad8b8899121d1a38718c26aa42b116237d4bc72c2a031343ad8bc912ac147bc4d87bdbe020cd0835d2d3a73aa730059c82f7c5c8730f

Download Submit
C:\Users\Admin\AppData\Local\TempMIWVH.bat

Filesize
163B

MD5
058680478320d20e5e434265503dfb07

SHA1
aaf43191c1521e090b943cfb6385e9d167e53884

SHA256
4e4a309108a39f2769d11f1a209ab8ee34b429a594fdfc8dfdec4a812993988d

SHA512
52e173061ec80f2bb36b72f78f9cc1adc5138017436cb9a4d044a782bfe0a3db660011bd89614fcba2acf99915b73d4ab3ad1170bfa220454a47d5488a07ea91

Download Submit
C:\Users\Admin\AppData\Local\TempMPQVC.bat

Filesize
163B

MD5
2b321be8e73ff6f8f1d0e575a27568ba

SHA1
82100896f7c895d4a2847c1395edcfd8dfe87a62

SHA256
96a529951501b9724a169deb7aa6939dffbaedec81c52f851c0bdf4f83c1f936

SHA512
908c51daabe05b7fae8d714b536f7b542a98e3e3cf5aa72fd94214a6019c50891f5758d8e33701c41f2e88403e86998113eb7146eec8b0b902add8c7bcd36e7a

Download Submit
C:\Users\Admin\AppData\Local\TempSNVKK.bat

Filesize
163B

MD5
488162b5c479fb6f6034b3ac72401a48

SHA1
38815773dff1ecd4756af7ff61137b50a8d595a2

SHA256
4ea908cfbe44ad66d91bb9965b1dea6b67813a817f4a38d7bebd8d7f086faed2

SHA512
750925a2ca025ff1ab65b2d64562718d2f3ba0d0990372efcdb2344dbdaf703146807db03efc9a9d9e5ef55028ab86cf8b8324678f1fb7736d8a2b1df0c24d47

Download Submit
C:\Users\Admin\AppData\Local\TempSQSIV.bat

Filesize
163B

MD5
468ba630dc83b081210be0a3631c782c

SHA1
0f47202ba5e113c550de9e16510a6cb5833741eb

SHA256
718b35713ea6d8b0e1c802d8a3e02873372ee25e91b3aab51683f12a9216de10

SHA512
cfd3fa01b54cc2d41bd4ddb7ab0331ad4c6c799217857d2b26fa53874fea66c6409a94e695fe3e8ef6ff5ced481623d0503eaa183acb9554d96d0c584a922fbe

Download Submit
C:\Users\Admin\AppData\Local\TempTFMQC.bat

Filesize
163B

MD5
cfdfb84e49dfe6847ba1e17c53f35159

SHA1
da77ba105a48ad835fca9989a6af15f572bf5417

SHA256
51357c19a2d9039d8dbf64b780ede97baf3eadce3cc700c89036572f402954ef

SHA512
2c99745c2285234c0aae43c336231b54b3e595be42de1f5673afebf6fb2d9169efa310a372db192d1e9c5db1d5b556e48d7384bff4594e8e86c6ab47858bbbea

Download Submit
C:\Users\Admin\AppData\Local\TempUGEIW.bat

Filesize
163B

MD5
9dabe157e0c83a1a2fd698f1bbf4b23d

SHA1
26052f0d3e7e4c24c81c93ce140c8d1b4175a11d

SHA256
5affabd60edc93f28bd513456d96085e56aab44dc318d5d76a4c902a86e3a49b

SHA512
42f1949bf9122d4ff59471013394db34ada83d12367e5afe888bc9e587763285f635d4978fe43382bc33f409e91cdbfe4c84e360fb704509d88c4e2ebe5647cd

Download Submit
C:\Users\Admin\AppData\Local\TempWALYJ.bat

Filesize
163B

MD5
0c9f6009ebcc74291ac4b9e09f99ac2e

SHA1
abbda8e0660c4ad21a07b2b31e63493ec31a549d

SHA256
feaa08e1430d4598f816b9fe05efcaaed3133ac42a699535dbcf9fdbc67de2c9

SHA512
9dce802654bbe1ec0d868879c04d9e76c7fcdf4e4b23084614e961ee68b20e5f52090e6adfcaf314f107fd127996a76e3ce4e63c9ef435d7a4dc2ce441c6d71b

Download Submit
C:\Users\Admin\AppData\Local\TempWVRSS.bat

Filesize
163B

MD5
f7c2b529214710d2bba1b9dac4bdcef8

SHA1
0341723ce1dc588132281d460b672d26556c9c99

SHA256
71600a0cf16a5798f7590d1088d945259ddf2dc2548b5b04825a70066f685691

SHA512
c0d55e5894c48b924681a5c4d5d7adde5a4f3b3caac8decf33e4cc604c41cedfac18e4d6174442b98aa590327492851a054cb291371b425c2b45f14c40ca4f2c

Download Submit
C:\Users\Admin\AppData\Local\TempWVSST.bat

Filesize
163B

MD5
86550c4045ded27f9bfcc444dbc3fe24

SHA1
01b7dcdc9ee8c7ff89d01066db04249a81eeff91

SHA256
36dadacba29ee174b5948d034f9c17ab59afaeb3e6b696f7633f2e4c717a3d78

SHA512
90794a8e5f439b0771d24a3e84800e5340d42e184fa232b0395e809a9ef6953a68e8347c49a8074ce31014100319eb7a6fe80d9557e169f75bd8b60795bd1dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\TNFLSDERXOWLVLH\service.exe

Filesize
520KB

MD5
85236bdf2f44e49518c54ef42bafa935

SHA1
831db75951ecb4b6b3ff9fccf9aa8aad26564ff0

SHA256
3db9c510601f03f99ce2952926c03e3a71990b2fdb51964a6e76917c6b4e5a35

SHA512
af09b6d654ed9dec955c1c4e9fd7a6689a923ad6f193aabf4099690e986e815859cd929e3d30c80cdccd75cb8227bec1b71a30f7b53009e218869a7bf06255b4

Download Submit
\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJSEKP\service.exe

Filesize
520KB

MD5
d976f382f645fc7dcf37c9f6441d02de

SHA1
5ac50cc61d2e149e5234516b9d8abed7b8429f18

SHA256
56781cfc562a7e2e9f84bf9738a52cde30750383398fedc9e4fd4b22ef565be2

SHA512
3d9721ebfc81383b36244f369667dc50a94589fb6343cd5bf6aee6593ad791279ade2d9b9030cc0c95c18b82fd92b09196ada1edabd1d6e23e517ca6332b944b

Download Submit
\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe

Filesize
520KB

MD5
0c3cca69361cda303df57936c398aae2

SHA1
dbfce50282fce51b278d29cb1460cbe9714575a9

SHA256
ed3c520601cabd244adb6a809cd3aa050960b821a3dd1ab7db004fb5e13503ce

SHA512
a7ab17bee5e8b679fd02a11c6ea812c38f72996aa3f24488933cc88b52c973e57f79dcdd3d18b39ffac1684c5ecb5658b7424d68fa056a05f9dbc170f22462d0

Download Submit
\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe

Filesize
520KB

MD5
9bd12922bfeaaefefcd7ddff432fb994

SHA1
4e4b279926f0b4f474e61ff0dbca4b66bb60443e

SHA256
e5a528e1c4feae803f3f8cad30da0b4438e097b8f7dfd8de502987a9925c4c42

SHA512
a17a5a79eca20936b69b312f9817ad8e6267ce66af4b32307fe6a0099e2400859740f8ef900a11edbb767f1c780e2b997b5bfa577d44555ccd04bae352e914ee

Download Submit
\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe

Filesize
520KB

MD5
d2a9cf9584040351afb21650a7f9f82a

SHA1
0648104a17a5e0eee2f11bec602bb51b1956f896

SHA256
8048e0202cab52f1074c1ec0de052af9d2ded7ccf4bec1c4be0bb384010f9198

SHA512
2ffbb89540396593247fd448185e61dfbf89c3ca32601c2148a004c8a08124352400ac9e118f0991e7a6bc0ebcd3a0ac3a86e810829cc8a0734ac2586f535074

Download Submit
\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe

Filesize
520KB

MD5
d62471333c750df5c6dedbd706defcf4

SHA1
ada89d07ca40c786c465a8055ecfe9d2a4f7686c

SHA256
20f03c09ffebca05787b24b2dd24b7088b595cc495584bb2f6b9a659cb88f7c8

SHA512
83adb27a8c0fd934357328d3889b7244f8913e31698cc81a1d4f09fe6f45c097a5d60fd4da59320c1d9c48f52d12a4c3b2f9aceb0beda13f3194730fd3fe74ff

Download Submit
\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe

Filesize
520KB

MD5
d6a3ef18b0a7a7fb9d15a275ebbf88fd

SHA1
018c7a0875745de9a75c607031e8313459b1f7b0

SHA256
03200c298a665b24b364e323b79dc1c2d5cdae5d782ac65af54910c6e6fa88ef

SHA512
ad6442b5720b64ee5cfe6d0dee7d3a937247e154ddec2a83aad02aad897cab2177f910bce57c58a81983543e1a67ec1f6d64ba57ef197e8a1cc1a38f8464a59c

Download Submit
\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe

Filesize
520KB

MD5
c3b81170de9c29c7258bfe1b13404c87

SHA1
8eeb7a8a3a653ef6a9432ae6c7111bee536ce854

SHA256
32c90404f293e5048943ecff2a7df8b4836701970fe84ff3f4ba7ef84fe1b43b

SHA512
aa180667f87c28e84ab71e822f1fa783102c43c983a2a501ecb300935d3c6e635fadccebf83456a23daec9fef7224a6de0071301bf1cf7ddcbd4aa5e7ee5c878

Download Submit
\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe

Filesize
520KB

MD5
8a57bc76be98c4b66925f385bfae57f6

SHA1
84b64e743ea7dd131ecd6394decf896d017b9660

SHA256
e4c75103189bf4703ffeae7faebd07432c53da039d8e8dd02896b2534610bab4

SHA512
92e1c19e29b3b9292d0ad4ad93b8e5481fe0c70bf41da07edd76479d7710668b2c90b0ae48c33da6cbb888f406d51dde79e3e3d9884cf5c16b6d59eb770184f1

Download Submit
\Users\Admin\AppData\Local\Temp\SVLEDKTJPGXODND\service.exe

Filesize
520KB

MD5
348c317e8032c7a7c01e40ec2dbc4ae1

SHA1
fb202ca2dacbeeb6fd86c71362e3e50aeedcd995

SHA256
da667c4bd78a25972a632c8c3ab37deab2441ea6e6fdd59fbd6e455e0d55b6d3

SHA512
3eb48a01edcf52d04c3f31177c3c7f56aa031ee13d274e87e5b698f4938b28d4719da4adc15db7663f0bbac1561affb8557d2e09ba7c12e093282258421f5acf

Download Submit
\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe

Filesize
520KB

MD5
bc97cd54b425498679dda5048bc7aed7

SHA1
cf113a26501f2df682327375057bd8e38899727c

SHA256
d3722929273d711219c11ccff6f0ce16973819c43946a3d86251c79f4e15b43c

SHA512
c611318bc2971d39004a6f7a1727deb61dffc9bcbe0565c8ecfe3ea3b97890685b0a9605ad1bf2fa7279de4f87ff8d9a1f7314d30a191f0d073ef67de49d62ed

Download Submit
memory/2164-323-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2164-328-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2164-329-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2164-331-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2164-332-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2164-333-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2164-335-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2164-336-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2164-341-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2164-342-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2164-344-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads