blackshades | 3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/03/2025, 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe
Size

520KB
MD5

05dd4591907c614bc68aebeaed6193b8
SHA1

be46e28b8082177adde63329fdd3aafabf310d9b
SHA256

3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7
SHA512

233ba57c60b19621203deefa73f4a3ff4ec3923fb423c05f3dd2089e407fd75a872080d3f99ed6654e40aa6035a6473cd0df70f7988cdeb7dc192911cd8311a9
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXr:zW6ncoyqOp6IsTl/mXr

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 10 IoCs

resource	yara_rule
behavioral1/memory/2208-738-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2208-743-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2208-746-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2208-747-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2208-748-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2208-750-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2208-751-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2208-752-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2208-753-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2208-755-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORGAXGPFLCTKJUR\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Executes dropped EXE 29 IoCs

pid	Process
2768	service.exe
2668	service.exe
1828	service.exe
3052	service.exe
2660	service.exe
1616	service.exe
1968	service.exe
2260	service.exe
1648	service.exe
2880	service.exe
2344	service.exe
2608	service.exe
3064	service.exe
996	service.exe
608	service.exe
2368	service.exe
916	service.exe
1156	service.exe
1808	service.exe
2332	service.exe
2340	service.exe
2856	service.exe
272	service.exe
2280	service.exe
1724	service.exe
1732	service.exe
1592	service.exe
2304	service.exe
2208	service.exe

Loads dropped DLL 57 IoCs

pid	Process
2364	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe
2364	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe
2768	service.exe
2768	service.exe
2668	service.exe
2668	service.exe
1828	service.exe
1828	service.exe
3052	service.exe
3052	service.exe
2660	service.exe
2660	service.exe
1616	service.exe
1616	service.exe
1968	service.exe
1968	service.exe
2260	service.exe
2260	service.exe
1648	service.exe
1648	service.exe
2880	service.exe
2880	service.exe
2344	service.exe
2344	service.exe
2608	service.exe
2608	service.exe
3064	service.exe
3064	service.exe
996	service.exe
996	service.exe
608	service.exe
608	service.exe
2368	service.exe
2368	service.exe
916	service.exe
916	service.exe
1156	service.exe
1156	service.exe
1808	service.exe
1808	service.exe
2332	service.exe
2332	service.exe
2340	service.exe
2340	service.exe
2856	service.exe
2856	service.exe
272	service.exe
272	service.exe
2280	service.exe
2280	service.exe
1724	service.exe
1724	service.exe
1732	service.exe
1732	service.exe
1592	service.exe
1592	service.exe
2304	service.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFNEWOKFVOAPYPP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDSXQGQKILXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\YLNIGJYMTCOSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBQUGHEMFJYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\JYWFGRXOMQLSHIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHXGOCCDYDUPCJE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\VSQUPXLMFMMVRQF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPBKBTKHCSLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWOUMDNGFHXUUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\NSFCRQEFBBWREMG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RRBYNMNJHOJMUDO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\SFNEWOKFVOPYOPM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDRXQGQJIKXAYFT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\FTAJWSQAVIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMEKRCDQWNVKUKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEAVQDKFKXHSYPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FSORUTVHLQEBPYP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\FTPNSERTOHLMVRE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBPUGHEMFJYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEDQHUQOTFTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOULTHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\BDGRTOMPESAIUJV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCTLHCWMNKSFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\NREIEBSYQGGIDAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LNDVUCWMCHQHGQO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBYUSBBU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNICCRSPYKQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJDXDUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSXPXLWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\SECGBJUVRPRHVCL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYOPNVHN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLCUMIDTMNWNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQVOEOIGJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HMIJURPTOWKLELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRGFGCAHCXSFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPBJBSKGBRKLUYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMCNGEHXTUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUHLHFVTKKMHADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORGAXGPFLCTKJUR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMHQXIEPIJSVWIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYKAKDXCEVRR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TQEQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQBYNMNJHOJMUDO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\XVUYLBPLJXOANPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXIGKFNCDVTCCW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSOJEDTURAA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\EPMLPCGCAQWOFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBUSBUKYAGOF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\EDOLKOBFBPVNEEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAYTRAYTJXFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\VSRVIMIGWULKNIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYAHQGLDULKA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEDQGUQOTFSVQJM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOTLTHS\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2884	reg.exe
2632	reg.exe
2736	reg.exe
2768	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2208	service.exe
Token: SeCreateTokenPrivilege	2208	service.exe
Token: SeAssignPrimaryTokenPrivilege	2208	service.exe
Token: SeLockMemoryPrivilege	2208	service.exe
Token: SeIncreaseQuotaPrivilege	2208	service.exe
Token: SeMachineAccountPrivilege	2208	service.exe
Token: SeTcbPrivilege	2208	service.exe
Token: SeSecurityPrivilege	2208	service.exe
Token: SeTakeOwnershipPrivilege	2208	service.exe
Token: SeLoadDriverPrivilege	2208	service.exe
Token: SeSystemProfilePrivilege	2208	service.exe
Token: SeSystemtimePrivilege	2208	service.exe
Token: SeProfSingleProcessPrivilege	2208	service.exe
Token: SeIncBasePriorityPrivilege	2208	service.exe
Token: SeCreatePagefilePrivilege	2208	service.exe
Token: SeCreatePermanentPrivilege	2208	service.exe
Token: SeBackupPrivilege	2208	service.exe
Token: SeRestorePrivilege	2208	service.exe
Token: SeShutdownPrivilege	2208	service.exe
Token: SeDebugPrivilege	2208	service.exe
Token: SeAuditPrivilege	2208	service.exe
Token: SeSystemEnvironmentPrivilege	2208	service.exe
Token: SeChangeNotifyPrivilege	2208	service.exe
Token: SeRemoteShutdownPrivilege	2208	service.exe
Token: SeUndockPrivilege	2208	service.exe
Token: SeSyncAgentPrivilege	2208	service.exe
Token: SeEnableDelegationPrivilege	2208	service.exe
Token: SeManageVolumePrivilege	2208	service.exe
Token: SeImpersonatePrivilege	2208	service.exe
Token: SeCreateGlobalPrivilege	2208	service.exe
Token: 31	2208	service.exe
Token: 32	2208	service.exe
Token: 33	2208	service.exe
Token: 34	2208	service.exe
Token: 35	2208	service.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2364	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe
2768	service.exe
2668	service.exe
1828	service.exe
3052	service.exe
2660	service.exe
1616	service.exe
1968	service.exe
2260	service.exe
1648	service.exe
2880	service.exe
2344	service.exe
2608	service.exe
3064	service.exe
996	service.exe
608	service.exe
2368	service.exe
916	service.exe
1156	service.exe
1808	service.exe
2332	service.exe
2340	service.exe
2856	service.exe
272	service.exe
2280	service.exe
1724	service.exe
1732	service.exe
1592	service.exe
2304	service.exe
2208	service.exe
2208	service.exe
2208	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2012	2364	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe	31
PID 2364 wrote to memory of 2012	2364	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe	31
PID 2364 wrote to memory of 2012	2364	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe	31
PID 2364 wrote to memory of 2012	2364	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe	31
PID 2012 wrote to memory of 2240	2012	cmd.exe	33
PID 2012 wrote to memory of 2240	2012	cmd.exe	33
PID 2012 wrote to memory of 2240	2012	cmd.exe	33
PID 2012 wrote to memory of 2240	2012	cmd.exe	33
PID 2364 wrote to memory of 2768	2364	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe	71
PID 2364 wrote to memory of 2768	2364	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe	71
PID 2364 wrote to memory of 2768	2364	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe	71
PID 2364 wrote to memory of 2768	2364	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe	71
PID 2768 wrote to memory of 2656	2768	service.exe	35
PID 2768 wrote to memory of 2656	2768	service.exe	35
PID 2768 wrote to memory of 2656	2768	service.exe	35
PID 2768 wrote to memory of 2656	2768	service.exe	35
PID 2656 wrote to memory of 2828	2656	cmd.exe	37
PID 2656 wrote to memory of 2828	2656	cmd.exe	37
PID 2656 wrote to memory of 2828	2656	cmd.exe	37
PID 2656 wrote to memory of 2828	2656	cmd.exe	37
PID 2768 wrote to memory of 2668	2768	service.exe	38
PID 2768 wrote to memory of 2668	2768	service.exe	38
PID 2768 wrote to memory of 2668	2768	service.exe	38
PID 2768 wrote to memory of 2668	2768	service.exe	38
PID 2668 wrote to memory of 2436	2668	service.exe	39
PID 2668 wrote to memory of 2436	2668	service.exe	39
PID 2668 wrote to memory of 2436	2668	service.exe	39
PID 2668 wrote to memory of 2436	2668	service.exe	39
PID 2436 wrote to memory of 1468	2436	cmd.exe	41
PID 2436 wrote to memory of 1468	2436	cmd.exe	41
PID 2436 wrote to memory of 1468	2436	cmd.exe	41
PID 2436 wrote to memory of 1468	2436	cmd.exe	41
PID 2668 wrote to memory of 1828	2668	service.exe	42
PID 2668 wrote to memory of 1828	2668	service.exe	42
PID 2668 wrote to memory of 1828	2668	service.exe	42
PID 2668 wrote to memory of 1828	2668	service.exe	42
PID 1828 wrote to memory of 3068	1828	service.exe	43
PID 1828 wrote to memory of 3068	1828	service.exe	43
PID 1828 wrote to memory of 3068	1828	service.exe	43
PID 1828 wrote to memory of 3068	1828	service.exe	43
PID 3068 wrote to memory of 2684	3068	cmd.exe	45
PID 3068 wrote to memory of 2684	3068	cmd.exe	45
PID 3068 wrote to memory of 2684	3068	cmd.exe	45
PID 3068 wrote to memory of 2684	3068	cmd.exe	45
PID 1828 wrote to memory of 3052	1828	service.exe	46
PID 1828 wrote to memory of 3052	1828	service.exe	46
PID 1828 wrote to memory of 3052	1828	service.exe	46
PID 1828 wrote to memory of 3052	1828	service.exe	46
PID 3052 wrote to memory of 788	3052	service.exe	47
PID 3052 wrote to memory of 788	3052	service.exe	47
PID 3052 wrote to memory of 788	3052	service.exe	47
PID 3052 wrote to memory of 788	3052	service.exe	47
PID 788 wrote to memory of 688	788	cmd.exe	49
PID 788 wrote to memory of 688	788	cmd.exe	49
PID 788 wrote to memory of 688	788	cmd.exe	49
PID 788 wrote to memory of 688	788	cmd.exe	49
PID 3052 wrote to memory of 2660	3052	service.exe	87
PID 3052 wrote to memory of 2660	3052	service.exe	87
PID 3052 wrote to memory of 2660	3052	service.exe	87
PID 3052 wrote to memory of 2660	3052	service.exe	87
PID 2660 wrote to memory of 1080	2660	service.exe	51
PID 2660 wrote to memory of 1080	2660	service.exe	51
PID 2660 wrote to memory of 1080	2660	service.exe	51
PID 2660 wrote to memory of 1080	2660	service.exe	51

C:\Users\Admin\AppData\Local\Temp\3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe
"C:\Users\Admin\AppData\Local\Temp\3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempNWSAF.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFSVQJM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2240
- C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe
  "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBKBTKHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2828
- - C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe
    "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIEBSYQGGIDAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHGQO\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHGQO\service.exe
      "C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHGQO\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1828
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNVHOS.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNEWOKFVOAPYPP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:2684
    - - C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUR.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLNIGJYMTCOSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:688
      - C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKXFOF.bat" "
        7⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBYUSBBU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHIRMV.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFGRXOMQLSHIA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOBXWA.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSQUPXLMFMMVRQF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLITQO.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSFCRQEFBBWREMG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJDXDUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCIWES.bat" "
        12⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPMLPCGCAQWOFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHNSE.bat" "
        13⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SFNEWOKFVOPYOPM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBHVDR.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDOLKOBFBPVNEEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEFOKY.bat" "
        15⤵
        
        PID:272
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSRVIMIGWULKNIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCWAMY.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SECGBJUVRPRHVCL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLOPUB.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FTAJWSQAVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMHQXIEPIJSVWIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYKAKDXCEVRR\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\BTLRYKAKDXCEVRR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BTLRYKAKDXCEVRR\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTFMQC.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLCUMIDTMNWNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQVOEOIGJVWES\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\GCXQVOEOIGJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQVOEOIGJVWES\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUPYPE.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMIJURPTOWKLELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRMUII.bat" "
        21⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEAVQDKFKXHSYPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSDXWL.bat" "
        22⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQEQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBQYQK.bat" "
        23⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FTPNSERTOHLMVRE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMNWSA.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQHUQOTFTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDHIRN.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVUYLBPLJXOANPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGFJXA.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRTOMPESAIUJV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMJRDK.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBSKGBRKLUYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe" /f
        28⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLHPGE.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXIGKFNCDVTCCW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
        29⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUHLHFVTKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe" /f
        30⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        32⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe:*:Enabled:Windows Messanger" /f
        31⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe:*:Enabled:Windows Messanger" /f
        32⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        32⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        32⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1256077130-19809539862075354116666173343-936477909-1791692471146198283-1175637388"
1⤵
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempBHVDR.bat

Filesize
163B

MD5
b8382e28e36c2f79e4c6aabc88e01934

SHA1
4e0d6b24e341d2c38e2043978ff08d6a962a765f

SHA256
4aaf2c1c77ad5f3e02e53ac5a383d88f2a933e530dee51dc72c7d0a18f321129

SHA512
d5179a9bbd4a238041217dc5a41a28420026424357e30f9e5c553e90ca230a29779185d9679224d8919a6b59edaa181b2f10ac582323f9f5e6aae9583a5dbb65

Download Submit
C:\Users\Admin\AppData\Local\TempBQYQK.bat

Filesize
163B

MD5
17cf9170b56378d3bbb545e259d3e76d

SHA1
55d59651b9c39d1c9125bc731a81d358977cf8f1

SHA256
414c9b611a779c7e9a378a2c0557fbc601ac4208ffabe3364340b37958be106a

SHA512
b0e90ee079af8ffbb3f5fb43d9316da430ae1a7d8e2edb95a6bc990c82a5d6d107a10737d1b9d1d6a49531e14b3b1dd4da82933a5e82653bddc58f426dee3d11

Download Submit
C:\Users\Admin\AppData\Local\TempCIWES.bat

Filesize
163B

MD5
ba429fd56ff7582c4de4880c49452a09

SHA1
f39ab13e597a4092461eb550a4a343404828677d

SHA256
15ce592a30f8fa800ef34e4ccd3f9a5826f85ab0becc58f0c2cd34aa79ad6ebf

SHA512
83f91494e16ce9176dc14eab284c96cbac783ecf712524b31e9ecba8983c47ccfa20013b99c6cf8ffa05d32fcf6ec16f02d59263330639b08f7fd50136fd1e0a

Download Submit
C:\Users\Admin\AppData\Local\TempCWAMY.bat

Filesize
163B

MD5
5e76b3709a497d84ef8391f01020354d

SHA1
51f78c55afb17aec3a11666e0637754de54d5692

SHA256
11f9c23493ae6b7ce035de587469c88606ac0caca9cd7d7e71cabf66ec179258

SHA512
a73048f7a378e12bc6a2150a082e1000f527320a71914939f98085f8527b0076a7a188d91c47b2989b57f947383a707da2253e23593cec274273974f32092ce3

Download Submit
C:\Users\Admin\AppData\Local\TempDHIRN.bat

Filesize
163B

MD5
662efbf888c6d75769e8c5c0dec1d01e

SHA1
3181e950587a5f94a137cf768dcd15f46c0772af

SHA256
b32b596d5872682dbfc521ee0f94fa698be838962b81585fd54c2523bd621736

SHA512
f56692d07d039f1af97946589fb878bf6c93a7cb2e7d8fbd4b2f24716cdf0cc10dd904e026894fa5128bfe108058403a6b1ff5fc4e1f3bdd53f5eebc4c484c8d

Download Submit
C:\Users\Admin\AppData\Local\TempEFOKY.bat

Filesize
163B

MD5
8960ceb0ef08479b59c50fcc23ca918c

SHA1
612ba9e7f7164a0cef4c3ecece208314043e2227

SHA256
e05147f640ec22eeac45f62b5bf63850b795ef82db932886796ff3b486a9b978

SHA512
7aec155be1f37f296ac20eb0d9fbb5dc45b82703116c60951b0e9308941d754151dc61dfd563cb1002f07d48bbc4c69a5b68a5f5fdd291f953d8f34ded257fe5

Download Submit
C:\Users\Admin\AppData\Local\TempGFJXA.bat

Filesize
163B

MD5
cce4e39402c0ca1121660d705291b9e3

SHA1
dde080ecc6eb827eb288f886f21b405dec14234b

SHA256
f26d37b64a96bf0fae9afb9c11ae3e401feced2f485dc77ba4e2ff445c6c2d30

SHA512
501de9b077aa45f1b598b78ecc56e80e6048c15debb6117ab275df5c042aa9e903cefc564f01b4b83c05c038f6158f0566f27b0b05feca921cd1de96285ac678

Download Submit
C:\Users\Admin\AppData\Local\TempGPBHM.bat

Filesize
163B

MD5
42d069ae459273b0a7ad18a831237702

SHA1
4ac36f878a22a4f32a153863e791d23da67ef06e

SHA256
36deba68c43c38607fde36f0f8a8df91154377fce462c42e90ef01b53f87a8ac

SHA512
182174d3a9a7a7985612ae379c7ea082b48bbfac6af0bb54ae3dd4b93daba4d8090d9f629a356215204093a62c4eb025711e0b039af56a5e77abb17d0e918eee

Download Submit
C:\Users\Admin\AppData\Local\TempHIRMV.bat

Filesize
163B

MD5
8537ec64ab9c824ea1b462610fbd206a

SHA1
ad65ebd0e4cefe33fe48c62e9b89479a0c298f52

SHA256
66605e0d67a3c79ef3eaa349748ee9941aef99836743aa0967ac48a5cc3d76fc

SHA512
a57dcf092df0d45ab464156efede8641d338c56e5179169086585d03bdc1d01fc7610d849203947958e913feff07a58e22491a20114415604d26e245910b81dd

Download Submit
C:\Users\Admin\AppData\Local\TempKXFOF.bat

Filesize
163B

MD5
b196951fba48b5977560e9753b785b65

SHA1
e22f3e6d2c9c03545b5dc31252623bf766673f4a

SHA256
8b7922292951a99acead0d2660c90515a483da5780dfefc2417325f37d807731

SHA512
bd899da3d81da6bab9cb78167b9426efacab052eda353821e30afb1585749bcba973f92cbb41868a111a57b6917a8f0d0ae6019ac78690e822534923133b9aa9

Download Submit
C:\Users\Admin\AppData\Local\TempKYGUT.bat

Filesize
163B

MD5
bfe87af784bde263c3f6cdf5cd36b72f

SHA1
f72c588450099da0760b82d9d48f1759a71e27a8

SHA256
aa48511caeb9d17d096dafc2f0f10cdb98e9347cfa9803888d1c03f8d038868d

SHA512
6aba5e69540ad6d6a9b9c3113693d69235566e75746b5481261173765460c5a033656ab3e697dbcd790089597bf61863069df9ec4b9725c6d65bd3431f79fbdb

Download Submit
C:\Users\Admin\AppData\Local\TempLHPGE.bat

Filesize
163B

MD5
e5d7d66600fb7c912eecfe106fa5a67d

SHA1
f34a574f0ffc4890e2e7d6981481e18ab208dea3

SHA256
00cceb49ee80e693ece75684e20569c4fa0ddc50dcf2859d005b90171e6c65e8

SHA512
18128099ea696f50404d53a3b4b4791717859f8bf3b1deedcfee2788f39bf83f2c05f8c51ff9de8831db96b759b63e31c563469c2d7308a5a8d4ad6bcb48957a

Download Submit
C:\Users\Admin\AppData\Local\TempLITQO.bat

Filesize
163B

MD5
e5bb269c2b3d0ccebe68419445efa181

SHA1
cade865c3df69b58e5659e8270fd0fe85b4fd6fc

SHA256
e71d4c9983a769f9158cdea6cd811ec94d1e0d95b5408c9b7677ede1fa00726c

SHA512
f15a101d4784f22da543173396be8f1e63ff46a6fdc3a40f0dada7c2d80aa25d79152b37e6fa10eff443126f8ab7e13215768bf7594245bdf0434a9ef4624a8d

Download Submit
C:\Users\Admin\AppData\Local\TempLOPUB.bat

Filesize
163B

MD5
587e12d87de4bc405dc1f2c0213887d1

SHA1
525338665cf885af5842a685341059bb0b59ffd6

SHA256
9df74a9b259ecc06dbf590345a4ce80dbdc70825170c2aa8058715294b817569

SHA512
fc324a3b890b30196143bb4180123297bd82745dd4b3d72246ac5b83268b7fc571c32b12f47f2ea2a2fcff662cab3030cd5a34581c3cda7ab974b2adaa71fe30

Download Submit
C:\Users\Admin\AppData\Local\TempMJRDK.bat

Filesize
163B

MD5
22edd2e5b814b8a48238457e9eaa458f

SHA1
de9135a97c6e976de887c1acc3c3ac55ac6344dd

SHA256
0c02ada924e44b30e8d742287f0df8685fde155925f0dc44257ee33eec9cd0a9

SHA512
c40434c243412d6201a5d7835d06472744eea06c65d2e5ec9d07df0823d09250659dca0eae55ef3175c77eb1bedf65b344fb8618213d8f874e3fe057f97d3bb1

Download Submit
C:\Users\Admin\AppData\Local\TempMJSEK.bat

Filesize
163B

MD5
3f2a24c78a1e0062c3333fa133c76e55

SHA1
caafb642051e937a2658adee1f4553a4109af72a

SHA256
9694f3dfc741c18a643f8518244c2820f3e20aaf7cb099c49eba1013d922126c

SHA512
fa33c87b432c960f4d379cb104b9cb3b802629dbe852d94f1080b1ee017e54839c07f020f19b7c57703d025be5388a2128cbc09de9f81d591c7a170015d41e5f

Download Submit
C:\Users\Admin\AppData\Local\TempMNWSA.bat

Filesize
163B

MD5
a4d004ad29d3b8175a96f922359cc315

SHA1
0fa15cba7e806e78247ff7a5a5aef1172dbeed47

SHA256
3e67df9708b257edbe5dc59a43ca15b93a69924b932332eb540da0ef422b729c

SHA512
81259fbf60b4f0153dbcd04484d0ad28ab3fecce6d4945a3a72b8535d6d120b20ceea5d1be9bbf32c5f35c1e7ca97cff84ecde6f288ebd29019b98f1783af423

Download Submit
C:\Users\Admin\AppData\Local\TempNJXWI.bat

Filesize
163B

MD5
f3b8ddc4d4fad0bc32f84eac08e8b5bf

SHA1
e01268ff601b676b24a9523067c804a7acd5685e

SHA256
645541f0f595c8bd565536eac2333a00019fdb7cb74fe9ffa313dc4c64ed881b

SHA512
d0ca064e5ade826aa3a5e80f30dab95565ff2e7ed104edbdd2e036412559cc78c9ef5090705e95f079c0ad6bee1386f5a4beb75b2b5bed282dee5762a27ef865

Download Submit
C:\Users\Admin\AppData\Local\TempNVHOS.bat

Filesize
163B

MD5
fe72326b3a174bcff560600751c53971

SHA1
184d49b39de1e9a1abd3015e3981144db6917076

SHA256
c538538b47345374ccf2c2a6e0786b5b6816f61668d507c1c6964e53e958034f

SHA512
0266ccd90a4c6d135b2b7b6d3b42ccc31ad777f5b31a6abf4d5c4325fd4b90da9dbb468784c160c44bee09414317486c2df0d0a70a0495918afd57d85525ec5e

Download Submit
C:\Users\Admin\AppData\Local\TempNWSAF.bat

Filesize
163B

MD5
afeb668f213817d4b1a9be76781efc92

SHA1
ee411b15b31e74668760c6336509caf7c1ea4014

SHA256
67e6ee9618639ad12271873b3ca1a28f253cc564a8824b20ccaa02d987ca7e12

SHA512
84a77b223af978e42dfd83be7a7707a174f3547843128ab0a384c73dac443ea15fa2844c39b4c220c6c1baf45962557095b711a90b16d3426a0af14442ddfa04

Download Submit
C:\Users\Admin\AppData\Local\TempOBXWA.bat

Filesize
163B

MD5
9f77972fb8a0a4da90e05dae340d35f7

SHA1
0d7f668b96138ed2b05f9e77ddddf35cdc0612a5

SHA256
4525e254e96e5a9e6de49ebf7358d55221138f1944e966063ee513a3b4b74584

SHA512
d487087ea1f5b14027062d67ac8ad637ed53e51e1b467b226cb70ff7cef6f35321cc63d734f3826a061f4e9cce7db214215eb4a8601747fad64cd18335aad64c

Download Submit
C:\Users\Admin\AppData\Local\TempQRWDE.bat

Filesize
163B

MD5
836fe23e586a2a27bd49efd04c4d0645

SHA1
8d152e3915ff657b20eebe46d838f0367fad6027

SHA256
d34036cceb63725f50d8c9a483713375b79cf61792bba6372bb4863d6c06faf9

SHA512
c85d6b09c3b8cadb7ee1ca7e9df203bcb84fcd8f8f9380b02223d57d71de9fc141437c35e2ae857cd583ea336e7e7d502f703e1898721b25bb13dda9f37032b6

Download Submit
C:\Users\Admin\AppData\Local\TempRMUII.bat

Filesize
163B

MD5
bb27e4c24484dbe2d39e8d88d55b3c2f

SHA1
86007d26b8075efcf83cc8f6ef77c6d381291658

SHA256
cfe74a40b353c29cb95f1610b3290f8e32a0f0122d125dce317f63d35031a5f2

SHA512
52f774bad56549147e26e62d2688ff06df16a3bdaab619d8e98c3b0cba2525f2530515ff868ec444e773ad05d5066fdc7dcfb086676c0cd831a47b83ec2126c6

Download Submit
C:\Users\Admin\AppData\Local\TempSDXWL.bat

Filesize
163B

MD5
c26a343b011df42b16a20eb1e4b21ef5

SHA1
0dfa155e2a600c60d6aea6b62fa10c27c158ed79

SHA256
c00ea0b40282a342ea5dc7b6f7b0dd8ddfa38da65187885a09b2248e05bf6460

SHA512
e8c62eb5b6ba83728fff93efe994b9e4b237b050671f877301934169d1e469ee15a63007fa16af308181ad5b662121ec9d51fd372fe2d5830cf5cac2778a21c9

Download Submit
C:\Users\Admin\AppData\Local\TempTFMQC.bat

Filesize
163B

MD5
188df0165b88e92710b2dfd28f60e38a

SHA1
0c22203e39030479aa2fc6cd1ced2cfa909db766

SHA256
8609b544ac5ab107c17ecbd7cc5922aa2c7b179a7e01a0d840ea7f1345017d55

SHA512
cad8fcf2b2f5268e7aac8e7a0cb78fd78ef7411630a030a3725e818e7aeffb5bae285c37448f4a797c836015a0018075d2b3035e938dd4fa7369d412ffc4b32d

Download Submit
C:\Users\Admin\AppData\Local\TempUPYPE.bat

Filesize
163B

MD5
abc643b0e8eeb7605f8e2cc38f040705

SHA1
cbd9c2cfd3024d23a49fb163833402c984be3b83

SHA256
c0627fd5a2860cce90b14cac3f9f2993a120414767c4e3a29ec6003bb008a1ff

SHA512
490d75709db51fa09dafab2da82420f3f03caa78671f289a6f2ab73a7e787455f77071066f35402c01386f620c4313d509436179971b05b597432c9ace4be3af

Download Submit
C:\Users\Admin\AppData\Local\TempVHNSE.bat

Filesize
163B

MD5
ff557665b57d32a1d0d57febe9e3ae15

SHA1
fc9a0b568f1f1fffa70b59b2c03247faab516782

SHA256
fd67bb00ddb9e7208443ed698310f77eee63ff2fa1f5f6f434fdeb498993e86b

SHA512
597d26df5000871b3e1b339baa304b0c5026e7f378f0e02b83c78497bff7e3f3835904bb57438df903fac516e85a8d5eeaacb58a0965943621e43b25195b9838

Download Submit
C:\Users\Admin\AppData\Local\TempXDVUR.bat

Filesize
163B

MD5
7c6b33b25d35867115c50b05fb15d28c

SHA1
f5f68fa6d475b45caa2b11fdf94f3fb337076a67

SHA256
065d97e5c0a93d56928136cc5a1e1bda166f3bb2d6d15edadafb7defa3897ab2

SHA512
4664b3f2b417375889cd0f404be9f2771a261707e07c782299f90b0efef80cf43e6278a8faec5a69f303b588c0d49d7e9d71ba2b8ef6051c6f258ce735db8b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe

Filesize
520KB

MD5
0ab322fdca88a8032b2397e41deaca79

SHA1
d11c6c4afc4c304bf14bcec3ce04aadc3bfa3d10

SHA256
f31a1676a54b285fc3520b0bee6430d0e0dd237132779ed92b4984f2ab312e85

SHA512
1e934cd45561d8889a9bd4981c3650832ebab6c40746e552f04c41428531a525c6487379adb70697eb7fa759e136550879e7920dfd022036b7869852da6d3091

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe

Filesize
520KB

MD5
ca8898fdd4d6837d903a3ec5e1de9ea4

SHA1
b2082ab532f9f0a1a2eb10249c885261afb608f4

SHA256
b1ba9299b5e553924e2a2224ac7e3f20ea9c191ce8811c242cd84d8a00e10784

SHA512
e530b7964db89d64b0f5ad583f1cc37d01ca8bc4999b9fdec5460e0ec608eeef7054ad87934b30077f32ac48d61f9989f0bf2acf8856c9ef719bc4e7ef820053

Download Submit
C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe

Filesize
520KB

MD5
529e56f1dd193c7fc52f02c18cf6d788

SHA1
c8cb43500ea442c34a30af99138205aaa49c7a60

SHA256
a142fb82b2e69c277f044a8ad3fa0ed2a5afd85714553b84f780c99ed99aa42f

SHA512
b77dca00b7de32cb89909b4fc16d8711e333eac4a3b14b8bc09816a5bc6cc7d5a989076fab67632295db4be254fd9b991e6d819c14b380ebcb894a8944043b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe

Filesize
520KB

MD5
7b5f718cb808bc1411a725fb8fe785e5

SHA1
1d677917326eecb7edeb00495a93c2e25e999534

SHA256
b4c419df723723e9c876b46096ab9b38d8fd6048fafc4ee9df1290f7e245b9ef

SHA512
0e41976de73369e43465880ea54b1e01adf80fbbf5c33b4df97da32379054c80032fb9d25cace36d08fd55a1d06831c37d545b3b7f9e5d0d498c53823e98870f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHGQO\service.exe

Filesize
520KB

MD5
edcb39204c01d4abfde1a8622d81c095

SHA1
16632354f8c1356f201b7a5364d06c411f124f66

SHA256
1b11dcdb496b79c25b2d8fb1ed946ab47cb1f5dbf094af85d21f6a4028106a44

SHA512
b02b5a5beb1b5f7968d714b9be331936d3f94522c1e0319ce2585c84240c8a69ccd140d6af813057958bfcf5c0bb44888ec43aa198c774091e5355d2dddfb8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe

Filesize
520KB

MD5
3b1eac28a825b60506ea3b73eacfed6b

SHA1
cc18a5362add0dbbd61eda35f02025ad91078475

SHA256
14e34c74609c89a77bbf97aeb1e96e59d97b1eec5c53d6f2eb4ec667da204734

SHA512
55064f192056c0e1c6ee7c1e6fd17679aceeaf31f6b462ee01f958a3850eda65ac17717d412fd2e5027de2401d7d293418245712947babea8efb5811b34be6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe

Filesize
520KB

MD5
a2eb188cf103b8896556a99446b43b2b

SHA1
e13a17f0e7390d8c6fa8e5f7b556bcd23b5cb777

SHA256
96f663f5980c765f29df6eda7207363ee1167f4ba57c4e38f90d24d2cab3dd02

SHA512
aaae2c2c991cc25686b658e42339ef73cf19fb09cc13f8d3e7f20634d37cf2c52630c244969bc766f910eb5220583bae551b2c990b68cb10e2c4e1863abdc044

Download Submit
C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe

Filesize
520KB

MD5
cbfcbe88c203d087e325da01024c1f22

SHA1
e53b7868bb326ade367d624764b5ed903a69922d

SHA256
59cd2c7b14ab855201bf0cca42b840f69dd1f4da59e4c27c88addd67b48f8268

SHA512
b2d3df78404f81bd6b582fe0615de6d61af0eedcff0ef8e7e17e239cf987ec3fa3eb7ca83db146bd6e15ee8d672ece1b6572970f661755025e48427e40d50279

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe

Filesize
520KB

MD5
95275019dcbcf3447f988204555d23fe

SHA1
254870258f3482ab850d31867a685df9933f9850

SHA256
5ec17d9f8135736b248bf01a3f5f0bf5fceef1cca1b18bcfd2ceeef713c4d974

SHA512
e99c8f73f0bab118fb14fd2444b10bb82154cc87470005aa9d0ffcc54d838313dbd1dc902e372df41b2a6042fc0ee70b857fbfde9ab9954435baf8a94a52d9fd

Download Submit
\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe

Filesize
520KB

MD5
75e1d21da74e0801441a4cb630088787

SHA1
b6aeded4ee7122b37cbe00b55d3d9f7fa09622fe

SHA256
cd1e3c0c63a7cad1af673419d377431d1a98a5ad21c0e461d35beedf7d375178

SHA512
9dde8f43009694858bae88886c0453e70972ab2a7f54cf3830f993befef154eb39915f0b0a1da0a8f8dec3b98e72870f34fa41ef2c6328e697dce5a527b46562

Download Submit
\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe

Filesize
520KB

MD5
be649c619c054faa8bafd08217ff7ac2

SHA1
96a72dde89c9752b787aba430c4248c6da86ab5f

SHA256
8b92eacbef0e22014f91271e9c6e2148f734041e2ebf0dffe4752b8178994774

SHA512
e7e471a89c03d2d620a04ef4e7d82bc9f0ce2d1dcf22597839a426a4c7d444a20f0066d6191ae7827780fd4f1d899c225ddfa8f66d0ba62732f2076f387ea81c

Download Submit
\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe

Filesize
520KB

MD5
8dbf637064960cd8e1074d84a03e7b75

SHA1
10041307e7bb2b705d15ea001b7bf0ebda7238d0

SHA256
7ba47a492675e7d377047fc7179db8f51ad16e1dad1112d47e0b4152877e78da

SHA512
acb31feccf90e5aedec11da65b2a3b9f1f5ccc1c7ba8f0f62a6f181e0e258245c54a1f1ca6366fd27880a457b2057a1dd2d4a62ca896fdc2a3b09c4e15ce6e16

Download Submit
\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe

Filesize
520KB

MD5
e5922b7f386619aafde16caa92aad7c0

SHA1
e9e6c556e11b1ecfe8234fc1098eb8c92e36379d

SHA256
ce5b26b9201a8cf87d481874e10bff914efc81ea02a9bc489eec170aef09be7e

SHA512
47360da89fd9a66400de0e7f8b07835cb1045703d891524ced68cf47e0d3ad38f01145cb1aa3709bccbae58f0ac2371fd30eabceb00e09afe11c487f87afffa6

Download Submit
memory/2208-738-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2208-743-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2208-746-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2208-747-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2208-748-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2208-750-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2208-751-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2208-752-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2208-753-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2208-755-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads