blackshades | 148f0e361548ac9c3092ed17d99e48df5bf1905c38cea817b6d5b9e4dd1dc95b

Analysis

max time kernel
90s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

148f0e361548ac9c3092ed17d99e48df5bf1905c38cea817b6d5b9e4dd1dc95b.exe
Size

520KB
MD5

3d819c953181a77a563bcd3cdee5e936
SHA1

ed59e0af658163f5365fd3f2a370fc7963592452
SHA256

148f0e361548ac9c3092ed17d99e48df5bf1905c38cea817b6d5b9e4dd1dc95b
SHA512

7913173ba6eb928c467c825e97d5757e7ed2f7b216ead491fb2c1e0e85b56ab97f0a2247d4bd69deedeef0608bb993ab87d947bb40061d4c6b775f1c8ce17ffc
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioX+:zW6ncoyqOp6IsTl/mX+

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 8 IoCs

resource	yara_rule
behavioral2/memory/3172-642-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3172-643-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3172-648-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3172-649-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3172-651-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3172-652-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3172-653-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3172-656-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENEWOKFYOPMVHNS\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Checks computer location settings 2 TTPs 24 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	148f0e361548ac9c3092ed17d99e48df5bf1905c38cea817b6d5b9e4dd1dc95b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 25 IoCs

pid	Process
1724	service.exe
2288	service.exe
5096	service.exe
3856	service.exe
3448	service.exe
4632	service.exe
1028	service.exe
2968	service.exe
1600	service.exe
3132	service.exe
880	service.exe
4824	service.exe
1196	service.exe
112	service.exe
3832	service.exe
2280	service.exe
3792	service.exe
3844	service.exe
2988	service.exe
712	service.exe
3988	service.exe
5024	service.exe
2724	service.exe
2280	service.exe
3172	service.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XXLMHFIXLSBNSCO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBUKLIRDJO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIQHRNIYRDSCSSQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCRSPYKQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IHUBKYUSCXJCWYD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYJAKDXCEVRR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LIITQOSNVJLDKKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUKECJSJOGXOCMD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DXTOCYJYEIYWFRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTRUFKPCOWOB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BPXPCEYAVPDKFKX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYTCWYMRWCDAJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NWIOTFDHCJVWRQS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUAQLGBFVW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ECGBJUVQPRHUCLC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENEWOKFYOPMVHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QVGHENFKBYMNJHJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMMNIGNJMTC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OKLWTRVQYMNAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTHHIDCIEUHOJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VSGSDCGYXTVHNUU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTYAQYMXN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCRSPYKQVHFJELA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QURFRCBFXWTUGMT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YFXIUTUQOVQGTBK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PBJBTKHBRLMVYLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBUKLJRDKO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FSOMRERTOHKLVRE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUTVHLQDBPXP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NKJNBEAOUNDDFAH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMDNGFHXTUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UASWROPBHOPXATT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFYOPMVHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NMHQXIEPIJSVWIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPGQJHKWAXF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FGCACXSFNHMJURP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVQTXVYJOTAGDSR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GOFXPLGWPBQAPQO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JETYRHRLJMYCHVU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RWIGKFNBYCVTCCV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JBRAISOJDDSTQAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SECGBJUWRPRHVDL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYPPNVHO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YKTKUQLUFVAFUVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTQKFAFUVSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\INJKVSQUPXLMFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TLKSHGHDBIDYTGO\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2280 set thread context of 3172	2280	service.exe	187

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	148f0e361548ac9c3092ed17d99e48df5bf1905c38cea817b6d5b9e4dd1dc95b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4216	reg.exe
2032	reg.exe
3924	reg.exe
4944	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	3172	service.exe
Token: SeCreateTokenPrivilege	3172	service.exe
Token: SeAssignPrimaryTokenPrivilege	3172	service.exe
Token: SeLockMemoryPrivilege	3172	service.exe
Token: SeIncreaseQuotaPrivilege	3172	service.exe
Token: SeMachineAccountPrivilege	3172	service.exe
Token: SeTcbPrivilege	3172	service.exe
Token: SeSecurityPrivilege	3172	service.exe
Token: SeTakeOwnershipPrivilege	3172	service.exe
Token: SeLoadDriverPrivilege	3172	service.exe
Token: SeSystemProfilePrivilege	3172	service.exe
Token: SeSystemtimePrivilege	3172	service.exe
Token: SeProfSingleProcessPrivilege	3172	service.exe
Token: SeIncBasePriorityPrivilege	3172	service.exe
Token: SeCreatePagefilePrivilege	3172	service.exe
Token: SeCreatePermanentPrivilege	3172	service.exe
Token: SeBackupPrivilege	3172	service.exe
Token: SeRestorePrivilege	3172	service.exe
Token: SeShutdownPrivilege	3172	service.exe
Token: SeDebugPrivilege	3172	service.exe
Token: SeAuditPrivilege	3172	service.exe
Token: SeSystemEnvironmentPrivilege	3172	service.exe
Token: SeChangeNotifyPrivilege	3172	service.exe
Token: SeRemoteShutdownPrivilege	3172	service.exe
Token: SeUndockPrivilege	3172	service.exe
Token: SeSyncAgentPrivilege	3172	service.exe
Token: SeEnableDelegationPrivilege	3172	service.exe
Token: SeManageVolumePrivilege	3172	service.exe
Token: SeImpersonatePrivilege	3172	service.exe
Token: SeCreateGlobalPrivilege	3172	service.exe
Token: 31	3172	service.exe
Token: 32	3172	service.exe
Token: 33	3172	service.exe
Token: 34	3172	service.exe
Token: 35	3172	service.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
3896	148f0e361548ac9c3092ed17d99e48df5bf1905c38cea817b6d5b9e4dd1dc95b.exe
1724	service.exe
2288	service.exe
5096	service.exe
3856	service.exe
3448	service.exe
4632	service.exe
1028	service.exe
2968	service.exe
1600	service.exe
3132	service.exe
880	service.exe
4824	service.exe
1196	service.exe
112	service.exe
3832	service.exe
2280	service.exe
3792	service.exe
3844	service.exe
2988	service.exe
712	service.exe
3988	service.exe
5024	service.exe
2724	service.exe
2280	service.exe
3172	service.exe
3172	service.exe
3172	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 5064	3896	148f0e361548ac9c3092ed17d99e48df5bf1905c38cea817b6d5b9e4dd1dc95b.exe	82
PID 3896 wrote to memory of 5064	3896	148f0e361548ac9c3092ed17d99e48df5bf1905c38cea817b6d5b9e4dd1dc95b.exe	82
PID 3896 wrote to memory of 5064	3896	148f0e361548ac9c3092ed17d99e48df5bf1905c38cea817b6d5b9e4dd1dc95b.exe	82
PID 5064 wrote to memory of 3404	5064	cmd.exe	84
PID 5064 wrote to memory of 3404	5064	cmd.exe	84
PID 5064 wrote to memory of 3404	5064	cmd.exe	84
PID 3896 wrote to memory of 1724	3896	148f0e361548ac9c3092ed17d99e48df5bf1905c38cea817b6d5b9e4dd1dc95b.exe	85
PID 3896 wrote to memory of 1724	3896	148f0e361548ac9c3092ed17d99e48df5bf1905c38cea817b6d5b9e4dd1dc95b.exe	85
PID 3896 wrote to memory of 1724	3896	148f0e361548ac9c3092ed17d99e48df5bf1905c38cea817b6d5b9e4dd1dc95b.exe	85
PID 1724 wrote to memory of 4680	1724	service.exe	86
PID 1724 wrote to memory of 4680	1724	service.exe	86
PID 1724 wrote to memory of 4680	1724	service.exe	86
PID 4680 wrote to memory of 1636	4680	cmd.exe	88
PID 4680 wrote to memory of 1636	4680	cmd.exe	88
PID 4680 wrote to memory of 1636	4680	cmd.exe	88
PID 1724 wrote to memory of 2288	1724	service.exe	89
PID 1724 wrote to memory of 2288	1724	service.exe	89
PID 1724 wrote to memory of 2288	1724	service.exe	89
PID 2288 wrote to memory of 2704	2288	service.exe	90
PID 2288 wrote to memory of 2704	2288	service.exe	90
PID 2288 wrote to memory of 2704	2288	service.exe	90
PID 2704 wrote to memory of 2068	2704	cmd.exe	92
PID 2704 wrote to memory of 2068	2704	cmd.exe	92
PID 2704 wrote to memory of 2068	2704	cmd.exe	92
PID 2288 wrote to memory of 5096	2288	service.exe	93
PID 2288 wrote to memory of 5096	2288	service.exe	93
PID 2288 wrote to memory of 5096	2288	service.exe	93
PID 5096 wrote to memory of 3792	5096	service.exe	94
PID 5096 wrote to memory of 3792	5096	service.exe	94
PID 5096 wrote to memory of 3792	5096	service.exe	94
PID 3792 wrote to memory of 1532	3792	cmd.exe	96
PID 3792 wrote to memory of 1532	3792	cmd.exe	96
PID 3792 wrote to memory of 1532	3792	cmd.exe	96
PID 5096 wrote to memory of 3856	5096	service.exe	99
PID 5096 wrote to memory of 3856	5096	service.exe	99
PID 5096 wrote to memory of 3856	5096	service.exe	99
PID 3856 wrote to memory of 3844	3856	service.exe	101
PID 3856 wrote to memory of 3844	3856	service.exe	101
PID 3856 wrote to memory of 3844	3856	service.exe	101
PID 3844 wrote to memory of 2024	3844	cmd.exe	103
PID 3844 wrote to memory of 2024	3844	cmd.exe	103
PID 3844 wrote to memory of 2024	3844	cmd.exe	103
PID 3856 wrote to memory of 3448	3856	service.exe	105
PID 3856 wrote to memory of 3448	3856	service.exe	105
PID 3856 wrote to memory of 3448	3856	service.exe	105
PID 3448 wrote to memory of 4832	3448	service.exe	106
PID 3448 wrote to memory of 4832	3448	service.exe	106
PID 3448 wrote to memory of 4832	3448	service.exe	106
PID 4832 wrote to memory of 4824	4832	cmd.exe	108
PID 4832 wrote to memory of 4824	4832	cmd.exe	108
PID 4832 wrote to memory of 4824	4832	cmd.exe	108
PID 3448 wrote to memory of 4632	3448	service.exe	109
PID 3448 wrote to memory of 4632	3448	service.exe	109
PID 3448 wrote to memory of 4632	3448	service.exe	109
PID 4632 wrote to memory of 2316	4632	service.exe	111
PID 4632 wrote to memory of 2316	4632	service.exe	111
PID 4632 wrote to memory of 2316	4632	service.exe	111
PID 2316 wrote to memory of 2328	2316	cmd.exe	113
PID 2316 wrote to memory of 2328	2316	cmd.exe	113
PID 2316 wrote to memory of 2328	2316	cmd.exe	113
PID 4632 wrote to memory of 1028	4632	service.exe	114
PID 4632 wrote to memory of 1028	4632	service.exe	114
PID 4632 wrote to memory of 1028	4632	service.exe	114
PID 1028 wrote to memory of 1852	1028	service.exe	115

C:\Users\Admin\AppData\Local\Temp\148f0e361548ac9c3092ed17d99e48df5bf1905c38cea817b6d5b9e4dd1dc95b.exe
"C:\Users\Admin\AppData\Local\Temp\148f0e361548ac9c3092ed17d99e48df5bf1905c38cea817b6d5b9e4dd1dc95b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXCUYT.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XXLMHFIXLSBNSCO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3404
- C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe
  "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLYGPG.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWIGKFNBYCVTCCV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:1636
- - C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe
    "C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCWAMY.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SECGBJUWRPRHVDL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe
      "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5096
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYKRVH.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3792
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WIQHRNIYRDSCSSQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:1532
    - - C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBQYPJ.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSOMRERTOHKLVRE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:2024
      - C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBNTYK.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YKTKUQLUFVAFUVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAFUVSB\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAFUVSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAFUVSB\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVCQPC.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NKJNBEAOUNDDFAH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTMQRW.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IHUBKYUSCXJCWYD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEVRR\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEVRR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEVRR\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPXODM.bat" "
        10⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LIITQOSNVJLDKKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUKECJSJOGXOCMD\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\RUKECJSJOGXOCMD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUKECJSJOGXOCMD\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMUDOT.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVGHENFKBYMNJHJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTC\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTC\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWRRGP.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKLWTRVQYMNAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYNWJ.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSGSDCGYXTVHNUU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXBYTS.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCRSPYKQVHFJELA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFYYN.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QURFRCBFXWTUGMT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHQDYC.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UASWROPBHOPXATT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSEKP.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PBJBTKHBRLMVYLM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLJRDKO\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLJRDKO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLJRDKO\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "
        18⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMHQXIEPIJSVWIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIVDMD.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NWIOTFDHCJVWRQS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTOWKL.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGCACXSFNHMJURP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVQTXVYJOTAGDSR\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\HVQTXVYJOTAGDSR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HVQTXVYJOTAGDSR\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNLPKS.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DXTOCYJYEIYWFRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTRUFKPCOWOB\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\DRNQTRUFKPCOWOB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRNQTRUFKPCOWOB\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIPTF.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GOFXPLGWPBQAPQO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVRQFO.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INJKVSQUPXLMFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGSYOM.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BPXPCEYAVPDKFKX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWALYJ.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ECGBJUVQPRHUCLC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        28⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe:*:Enabled:Windows Messanger" /f
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe:*:Enabled:Windows Messanger" /f
        28⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        28⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        28⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempBNTYK.txt

Filesize
163B

MD5
a790e9272ab56375181836fc378980fc

SHA1
f8813bf44a1245416f914b71784eb6b09322d1b4

SHA256
da9debdc0f49d5bbf316d91921c12514094eb321de3a89832f59f605cd336549

SHA512
011b818460e64d54f3b6d52f820d91fbec4cc67f947d8ba501b3f3606dfab611827e8fdc8543891b861a3b00ef1ad352b2c27e309199f39f936bcaa829cc0f51

Download Submit
C:\Users\Admin\AppData\Local\TempBQYPJ.txt

Filesize
163B

MD5
0aec865ffc84263d206a53ba994ce5c1

SHA1
b78d73be451870d480c55edfe7d12292e22a54b9

SHA256
fe9d809372a9f4337abcdc50a4800e110f6c26dddf35c649bd71b3e16a12c069

SHA512
f953f4290d7c3d4f8750b4ab0b0130554ca2a7bb7b0bce7debad8f075af4e0cea4aeef6e6290ceaea0e7bdbb4c05dfecc2838bb24cc4e02b80dd73186636ac53

Download Submit
C:\Users\Admin\AppData\Local\TempCWAMY.txt

Filesize
163B

MD5
e466b7bef8cce718fbb8bc343b27f16d

SHA1
d0b057a7abfc0101b77e241f77518957a66fe528

SHA256
691ff9337efd6cc5bcff0305153914456107aabf12afc973729a3bf48110cc8d

SHA512
39259ca71f33b1d5c91fe3783e942627708ab66c07992c56e01729c384af15bb2a710d3f21a41862941a1378004260d9cb252fe1a127cbf84d74a6fcd92903a0

Download Submit
C:\Users\Admin\AppData\Local\TempFYNWJ.txt

Filesize
163B

MD5
aa360382156aade873e7a0fb5579f986

SHA1
4b33262190df5f6eeff440e253b8f351a2d27851

SHA256
6f0fc1859df6cd047d12a46f7108fba64a12daa229bb0240f80dc0107a42a85e

SHA512
e1158fa250b964cf224347e9e44833dec4aff9ad1dd91b1e5283ce5fe67e11bb0763610629410133ee210a9491e848b7cdfa95eca3d41aeccbc7efedf1113dca

Download Submit
C:\Users\Admin\AppData\Local\TempGPBHM.txt

Filesize
163B

MD5
80e4f9573ba872b2e0ed257ec33308e5

SHA1
5120fdcb2915c1fc44e37c2e75395483d6dca2a7

SHA256
b0a1faf02d404fccfb1216e14a6fd37295d737017fff6dbdb334cdeccca0f713

SHA512
e973d6a7576c7175e384d2bd14eb17dae88c996ee9ada830749985a13245513330196556bc87e80eba2fe93b91f5f0d6303b4156eb1b1e55fea1f9cef325035d

Download Submit
C:\Users\Admin\AppData\Local\TempGSYOM.txt

Filesize
163B

MD5
b180bb284ff79a4e7787d5a7dbc08f66

SHA1
3775a73bcc236f3ee45db9e5060a18dadd5fd0a6

SHA256
a24326844eab501e7d944f85fa09143e2e9f896c8166854156eb5aa1a7e4ad31

SHA512
b5b5458815baaecbc7f1fafa9263979cb6d17ec03d88eb9f9b4f6200ecfbf71bef834317a1f344bfa03cca5275b3418b741b4e361ca420e58d6081ced5fe52dd

Download Submit
C:\Users\Admin\AppData\Local\TempHQDYC.txt

Filesize
163B

MD5
95b94510e39041893d6366349feefb1d

SHA1
fe3adc1fd28eac1d6ad5b49dd6ec45b73454292d

SHA256
60443bb95709baa1ee361dcb72690587f92717ef17ac745496be9be41878f3bb

SHA512
1f0c81e90b2614f0940489adfaced48349308a43840f5a4110af72c9d3901efb97dc903ba2530fd2eb35bf10b8babf6f578c874ac2f4c52a92f5411801192c2c

Download Submit
C:\Users\Admin\AppData\Local\TempIVDMD.txt

Filesize
163B

MD5
3c0aaa682527243339d3bca853f658f3

SHA1
0211b7304e76d85f81258ec670bc306a54680d23

SHA256
b4188780684711b28a7f18a96eceb68146bc8890ad657cb96ad62b5e4cb70a88

SHA512
14df4b1667e96cfa1bfec18197900298529b8727f574686b0b2064acece439af49b90f32bf58d51aaf55898b784e696597a149c315c4ae68a230322a0b09b181

Download Submit
C:\Users\Admin\AppData\Local\TempJSEKP.txt

Filesize
163B

MD5
c92e454e5a342738f089bac1c1f15477

SHA1
113653e402e8f40069e46a2ed51d96ae0ea31977

SHA256
c5b3694f0b7b70094f225bee52ff86f1980187389cb5b3cfb215b86ee8fb3f53

SHA512
70aee7040ba128b94826f2f27bb8aaabf223fb26e74a7bb54589e2ddfa3f5eb58bb9141e6366e6c99a0a5e4367b89933d5662d083d2efd828a829e9b6147af05

Download Submit
C:\Users\Admin\AppData\Local\TempLYGPG.txt

Filesize
163B

MD5
2538190c6062703177adfabf523b9e75

SHA1
85c7ead20672b32c7efdfc2a759c252cd82bac7e

SHA256
16f5e79997c3314eb05c63dfb750478c20bf0f0b485544e73fb8521214643c42

SHA512
3e99bbd7c635083eb18b1f53f4abcee43429493725ce6cc4b557a7fbf8f6fc0a61315e85701b42ce2f52f16c60cf48bb5dfea3b5061db8c54fc79276fd67d846

Download Submit
C:\Users\Admin\AppData\Local\TempMUDOT.txt

Filesize
163B

MD5
6ca732f9ec65f8818cef762a464a9bf2

SHA1
f10168655011c945faba5032e07e820ad6a0263c

SHA256
4bdf27956804bc2d81827feb1777ae6e17e2cf42a65d9cc14f12065f43763e11

SHA512
cf02c87d2165f89fa9addf6d6b546b8ded4930d9ebda812eff036a72f9809ae44b85336e3a00fa526b8678b041464a3f9562a7c8133953b17f85a84bb855080e

Download Submit
C:\Users\Admin\AppData\Local\TempNLPKS.txt

Filesize
163B

MD5
8fb2974bb2dec7678e0d35da6b443a76

SHA1
730a2ce76d734b2df61e5265a1efdd10639e5012

SHA256
80ea1280d594b9b3f4abaff419976a5a56c74a3e730bc956022e6810b5385b27

SHA512
a6d19b9b9320ace7835e1886135d5299a5886aa9b6b9527060308e2dfbf8e5e92cf7bf775ad992d13ee904ab2b9c8e05551390a4115527da1bac6252ab3d0323

Download Submit
C:\Users\Admin\AppData\Local\TempPXODM.txt

Filesize
163B

MD5
c0a9823a48f1f0bde3a6e26890a2c8c1

SHA1
ffbef3a9e4e34948c864f8c16dfe3b6742888660

SHA256
e66ed12812b90a6e067c7fdcd9d7098e1c21a54f9ab491101fad56d20a9e7457

SHA512
fa27f75dee99ab3ee42273440cca0068a2c668ff0f9a25cc5b1b80f42ee30a5d9bd483df9a1b35f332978652cf17d799ccda67a0cee6f3f27f91f9436f1c9ded

Download Submit
C:\Users\Admin\AppData\Local\TempTMQRW.txt

Filesize
163B

MD5
a365934fb4c6eda3de0cc3fb4cb52ad4

SHA1
7a063a3b247e49250417866a3eb94991b41ba666

SHA256
c678dcc091d83825ed86ba1abe53afa1d78b6ed85abf4c65bbe22e8780a23aea

SHA512
e7a7bce85be27ea404417db50518564ffb521e11b58d1f9c070fe5879c1c701de8448df0f384b5b7db29f39e6e0274e95ab5ec40d6da1bd9a6687cf882110879

Download Submit
C:\Users\Admin\AppData\Local\TempTOWKL.txt

Filesize
163B

MD5
cc4e1b593b0b05014a009f669a25e6de

SHA1
bb1dba5d5dfb7222b29d80d282d3ca8a7e43b4d0

SHA256
009152a6a633421e67723b28dd8b601065ba0a303956c8dbb1d4fab82564f66b

SHA512
d58dfd75f6702824d4c2fa83b0938b21c79a11c51eb72e2043ceb65f8fb23aa7485cfb430ef6a15d773726dc1955833655e63c68afdd3dab198a287f9f52f256

Download Submit
C:\Users\Admin\AppData\Local\TempUFYYN.txt

Filesize
163B

MD5
7a0ab841d6d8a9f1ee54e7aa7a2303db

SHA1
43bf442ecdaa5bebde31091ddf5c942a8936e5bb

SHA256
81cdf7195df4d018455da790afe13a8e9b81882e4972b170e7b614d6929dbc23

SHA512
24f9228b9b9c227ae773f9d47f72f5273cd3cd516993b4fa17850649c26c49d7e0fc11ccc383b0acf89d133b8656567f9d30b0855722fbb2cc9b3bb6994ab2f7

Download Submit
C:\Users\Admin\AppData\Local\TempVCQPC.txt

Filesize
163B

MD5
fea656125dc61321bfb62f5624332d04

SHA1
17116005b299006a9e422332972008c6a2419536

SHA256
f7e7976bca8e19bb4df4a257c91f05c13c3fa34c60c697dcf834d5d72c1660e1

SHA512
e7f42e6f81ffdeabe5947fdf4733e73fc0b19ca53c4af7e4a7c2ec17e06cf20f2fe9cf2d9d04c6bac0ccd929d0925584b3e0c2fb522c111e6ff6ba213823b3b2

Download Submit
C:\Users\Admin\AppData\Local\TempVRQFO.txt

Filesize
163B

MD5
3cc8db8f1b9a8047561ef21292228b07

SHA1
aaa2f3b7f1acd31b1fb2434bb05321d79779e801

SHA256
7c75ecbff079359cd1f5c877aaf75fc2f175a04611db6fb23b3152fbe02ef5b1

SHA512
10aea21dfd242036065f7df402b437a7bd6680172759d5a379d742fdeb5212d08ffdd59dad6193ba3effde8748ee34432564e82ce6f44d10958b3e777a177114

Download Submit
C:\Users\Admin\AppData\Local\TempWALYJ.txt

Filesize
163B

MD5
3e309384c79a2a970f6358bad7f6c81c

SHA1
64981c10395fecd2b2f121380fa09c537f81f976

SHA256
648fb1f9b9a50ae0a1e8caaf22cf0699b318c27e628023090fd3522642e3a428

SHA512
781348fc581649e79b3718de8d90644b9eb280ce7f6fbb37cd3eb85f05abd30fc914683db003f582c57ece91c29447d7c470c25d1f085cab71f5c06831ed4bbe

Download Submit
C:\Users\Admin\AppData\Local\TempWIPTF.txt

Filesize
163B

MD5
652f407aec6e62db91f8dceaeb49bb33

SHA1
0eeded2abdfe0fb8c0eeab654b062b4bf3030bfe

SHA256
9a073162fd314d1076ec3bd0432a678aa65b00df5414ade34a9f5fb716951e5e

SHA512
7ccb3fc2c29cc1257bb2eb0d163e07204c476d0c26a2208a38bef33ad45781d50738b8c356d29f478bc467efd4d767cc406ea26035dc010e6672de293d228960

Download Submit
C:\Users\Admin\AppData\Local\TempWRRGP.txt

Filesize
163B

MD5
aa7685ddc11f64b6cd488f675eb99cd8

SHA1
35b23f577124bab87af125549e6e0c1ab84269c3

SHA256
fbae7c44f8d524c51d742c91b1fa45ca8efc06fb7a67adecfc7ccab60a6fbb0f

SHA512
72155219fab90f14d48d356578d9a119a39ba3fdb3d2dbbe50bf3bfa1aa8fba1e593d3475c50cae4b11d1220aa63a8f5a143897167bf973ae60e48cc4a255700

Download Submit
C:\Users\Admin\AppData\Local\TempXBYTS.txt

Filesize
163B

MD5
fa58c8dab32aab719316e3c5437e3217

SHA1
8b5599940747494443188abe73de72723810d1ff

SHA256
966c1c496ceda6f73edba2c51f6b6eb75fc8e1bf95ae6e500e0293f9bb7cf370

SHA512
63ca74f6667ab330eef34cddb20adad91c995de0582d3c9b9148170119421f0696b5e792b16c04212c70e4298d0f8ddeaafcff828469e622119ad540382f4e52

Download Submit
C:\Users\Admin\AppData\Local\TempXCUYT.txt

Filesize
163B

MD5
391048ad6578858e784774926e71630c

SHA1
275c162eb8e0ae771cbf2339b357be1d1966f95a

SHA256
45e401e71426e966a2f03906fd866736ca65bd2718b9db2e2f9476e1ddd40707

SHA512
99fb7120c8a3cd9b595c1cbef2d3324cc485416c53d4e1c176582f29d9a757c9eed73a62a1b2e6d5a994701399b85de37638b68fb0f344b3d9d1a45c75554e19

Download Submit
C:\Users\Admin\AppData\Local\TempYKRVH.txt

Filesize
163B

MD5
847c3ea9a0b813e316f07cc07a91997e

SHA1
fb064775cd5fc21e05d25fdc955cea33650d5779

SHA256
d52e14324cf7ce400c4d9e248bb706191d515b4141ed31f2edcf8d1064555e47

SHA512
a33592bbfcbadce97114dde5d83a312b088820458c1754fa5fb25847e76a07b04b537ca35646750ee4775e8899e4fdeb2512816691dfaf294ca879d0ba5f08ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.txt

Filesize
520KB

MD5
02047858e65bb55d31f5909efab1ba38

SHA1
2bed7d64c211180acb385ab3453cb73468b9bf9e

SHA256
571659c8978d7f585427c64aad3d747bed75c856cc19768a6ae66c378654d275

SHA512
711d4d9b529899e5ffbfdfb5f4eca8f3759c0bf63ae78fcc3a9320230def229ff69eac10e9bba73577607ab16e13ce953478e76f3d5c255906802beb34ea4de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLJRDKO\service.exe

Filesize
520KB

MD5
ce57afe23068f994de4a9999fae0a943

SHA1
c85359bef9f6579a38f3f9eebc95772fcae52c6d

SHA256
69dd0b39628ee60441112ecf08ff35e5d43ddadbaddc32a59f5f045389a62a6d

SHA512
cdbd9ab4069e950c5113ba5245c2c296995885d0bb9363051943df498b2540afebba342b4e6e96e91573ce627b391c0d371aeb32ed55ad9371deecbded9637ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEVRR\service.exe

Filesize
520KB

MD5
25838d704b64ee45b08f0f3168bf2973

SHA1
46d91bbf777da3d9bee4aa70968f84fa38bbd647

SHA256
beac2aa7b7a3cf47d97ffd4a5ad293a1ed267a8c8643f85d9ed65e955b01c8d0

SHA512
9786c6665bdadf6bc18bf274ec69d8f214d0a7ff76eb4fba388663922ba0215f69c9b56104921d0283dd43f6b9c0c656678e705e57cc417f1ab5e8ff68609d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRNQTRUFKPCOWOB\service.exe

Filesize
520KB

MD5
4f59ad0dbfa8ad14679d24466770a1c5

SHA1
66e6f33384ab11ab45de779ed86d2e9872950b32

SHA256
55ccb5da4eb28158d136c8d8ca4b4434ae48d9363ac569b36c137bac1676b3b0

SHA512
5b6b62dcf51766579ad4bc6596f546f85a13a97cc57c1ea08883eb4df768b31706d53c72a7e4b5aca1305a399960334a091b59ddc4dd211ce0f0846f1e4f1d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe

Filesize
520KB

MD5
5e91c84a9dd25d3ea53d5ed63b1e9f12

SHA1
1c77097cc839b0a1a384d3b3cf0c9c633705b402

SHA256
bcf84e0d74bfd1a1d9a5a8ab118bb8503ed07130302a15f00fd0f12751e3e8c4

SHA512
9250f9b08a162b3242a19b69447e55c8fb56291e0ef65e58903313c719c0cbed5694e758cc158d6c1fc9ec65ae164ea84b4ce828a9c75a823cf06746c13366f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe

Filesize
520KB

MD5
965c4fe32bef6eb8e781a8f6b8ba3222

SHA1
32870d82a351c13078e109fa42af497c79b91c6d

SHA256
b2e3398d5e62f8149f71fa3c8eee113be813d8e555ac9ff7206e8082da57eb8d

SHA512
6cb0daaf22dd7912cb3de4b649db950cbcc492dc35a1a752bb8fff26d4a073135e3e186d80ee90ba0debfbf30f7e0d95e4d356ed24586ae16059b37663c843ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe

Filesize
520KB

MD5
212f39b77aada79a416177c3307f0876

SHA1
1bc934570cc0a41a10377c4ee42d663a0b27a40d

SHA256
9923e98c741350bf611b2769837234633b353c2f9cfb3256dd4042ae917f54f8

SHA512
88bf41ade94390288f824334c526e1ed6a2f38e67bde7af0653b90a8c11128b915a25ffe223f50bf67bde5aae500a20800ef8358ef15dadb8f580c34adb8104b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe

Filesize
520KB

MD5
aa02338fe266d897fa1d3b075c57ce5b

SHA1
746975451d17fec1f0ff81e794312eaddb53ee9e

SHA256
3f273b8f45dbbde3c4a41866817beb14bb2bf181703e4c80dc98eaf4e30f1878

SHA512
0ed288df171a91dd277b4f0d75b9b32e7f336eecb5cebaa3d076e1f169f1e217f382efa1e89653ff66cc518546a408e7393cafd2aa808baed235b5e484a7ece3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe

Filesize
520KB

MD5
79a5db1c21b18c050af7b26919706043

SHA1
f751145fda1770283e25cb8e9eb161c013c01382

SHA256
88d31cd9fa1616fbecc50a5959076aaa76a1f91297d4bef71f3830a624c882c8

SHA512
e550151fdccff603f2b10434c9707b9d537b39ce9219fea482608795a735aa5ec56fa103189f42caf1b078e3ad049c6f66505c9ade0bacc2e8547ef32a778803

Download Submit
C:\Users\Admin\AppData\Local\Temp\HVQTXVYJOTAGDSR\service.exe

Filesize
520KB

MD5
66acc0f41bef85c7e4c26259b5bb6b16

SHA1
d86a23800c93b37f4f78b7f3892b399160d7fa94

SHA256
0b4b508e2b3d3457fad64b4034b7f00d08ca93ed184d1ac272c1ef2a59ad9a11

SHA512
63c04851f168d5de5d81cd14a19fb8bcd9a883a1e6c02a274c80fd29f45fa0264d805b6d12bcafb62957b190b56ee92b931be9689b2698fd42d85e101767fc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe

Filesize
520KB

MD5
fa041fb0d97f48d297c5244d83728dc7

SHA1
41f3a1843e7a8edb456b642e23a76b7d0758fede

SHA256
0f1cbf257d14ad5b18685d46d16b3e9988e6cfca7c7818accb4477336ebe050a

SHA512
e496673cd94b16edcea36c1d3bf20c043305d2d4e7d39ce5700ae2e06166227e80ceabf9eece3676b9cbc7f37b74d3d426c58ce3742aaa88775ebc57f2e9fd99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe

Filesize
520KB

MD5
715f1c8ee410cb64be92e7a89034d53d

SHA1
b76bdc999f0d0fd31897af35c474c73da1508c89

SHA256
4b418d00672bb4a5411ac01ce33e1461f4fd183d6e73ce0d667ce4adb2c31a20

SHA512
9e351cc5161cd36cd90f7da0507927e92bf1cbc5a67783e9bd7614318997ea1ff2c8e807bd6323df5f6633424b4874a2d4089f4faadfd2334d92cc7763aa1a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe

Filesize
520KB

MD5
bd94055a223fad65f87d0a8f9a767441

SHA1
4469dbd633bfc26551565b941c0e3ed41b930d9b

SHA256
a0a21a433dc4fc97438620f9786cec7a84865a316f87269ac9f7874123301365

SHA512
96127454d725b4a62677947383138ccf0f90a7273592f6e58b00953044143adc08efa5c11a706f579f1105738a4d7526122096bb689b5e8bb6f9df340bb7d4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe

Filesize
520KB

MD5
7c7ab3d634800ddd26514d68e8cb402d

SHA1
f27c3af18bbfc23ebf88b7fce45c70912310fb60

SHA256
4f78f9aad23842d0e61bd167e1659448e097901b3ad11837ad7bbb186d159923

SHA512
6e0ef4e142bfb4cc5279994895f7df2ac597752352261790b594ef24b06753481f04492f3b790712550d75a13baa89511534d0240e13e69dbed770b0020d93ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAFUVSB\service.exe

Filesize
520KB

MD5
4dfbf750f45350789fea5a6aa762eeaf

SHA1
30465880a9615bf255919ef6d3a0c8df93abe81b

SHA256
f2a0f5c19d24b9dbe11d660ba183a7606478f8271acaf85d14883ed3edb92c65

SHA512
c9318350bdf5fca16eeb8614a79fe62d67a60c4e1e80779fbea5ed96ef8eb99644f2c55b9b7fa0cb4aa10bc927fc848a996916c7dfd65b37f2ea040127a2a751

Download Submit
C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe

Filesize
520KB

MD5
ba78bae5fe0c8f63a699638653c535e2

SHA1
3e40673d9559551918b5a2cd4ab34d5a65f1e9f6

SHA256
123b28e024f6f2ab79976511eb02ef23fb452a8b8f5e6636ad62d50300f3265a

SHA512
626009ae68d668c2da859c5d1ed600c7dceabb9bdbb70c816e14fd89c4cfbe65982f84f529a22647d4c8b756bbcfe2dab99641e7e1038bbef341c3bfe4ce9b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUKECJSJOGXOCMD\service.exe

Filesize
520KB

MD5
f2a72d490f7fda793d91e007cafadee9

SHA1
349dbb675c95b110d5266bb5f530f5a47de8f41e

SHA256
a4631f651587fac0bbe554ffa102cca426c9ea51c76842e8f66ac57eec02ac57

SHA512
9da889cb430d4f91c3aadfafaf243bf7e07e10d9bf694958e420ea8f89214a4eae23b3d7726620d5b44cce9a97388fee6e724ef42cad49a90ae1ee57a1e1e04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe

Filesize
520KB

MD5
79680428d441a34de0134a576e6cd1e7

SHA1
1a827756b4118ade340a34f6bc46a03c3cb95fbe

SHA256
24fec6e94976971e1f903f008cd53974b50bfba2d13369cf392d497dbeef24ba

SHA512
71aaed5d020701bd4d088ce9edaec0cc4a3e2535b01ca6fef72702e2253214729dc91210522f68afa78fb4b91bae9b8a39864f245187fd7abad2bf77117611e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe

Filesize
520KB

MD5
27b32f483c7f4287e5e836b2851df876

SHA1
82445bea9e3da4f18c3475487b97a2fee0c28435

SHA256
374c1e0d0721db0e1f192b5ce385dc45b26fc71cbcf6cc939d43596c67bb62db

SHA512
6530834f3f315aea4ed8b1ee22420d4228e67328534a8bcd0ee93442a926a1e2edad866dfaf47dfd46e8a4351651569aef309f61999806f55d4a0720350d4e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe

Filesize
520KB

MD5
6c6bc95952e73d9093fe61513bb08399

SHA1
fc70a37d2cbe01ca921083d0cc8e2ffdde5e75c4

SHA256
ad6ec2d8949141c20bf2e5f0e62ab394525744d28032b873a87b06063d14c529

SHA512
7f26b7b3e7881b77155142e0d80ba77f04ff51015ddad45d16e79f775515aa70afe4e3274d1e8718d2a79240047c1f488692f8e935cb2334390616cfc7caf39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTC\service.exe

Filesize
520KB

MD5
84de533bd994016ae6a083b584d677d1

SHA1
611734721fcf7916af2e4f28cbb51678355d5c7c

SHA256
7fa341d5b6bccc30ff2172da6c489d2f1520abdbc586df16d245a0099b137ec0

SHA512
7b616a30ea2f7e579032af338554b1a2c181e349d7ced6dd1fa445cb4970f778efad29ceb7f9ce5cf90161db84ef6e88fc524cf64f7e6879099f64d68ebecd1c

Download Submit
memory/3172-642-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3172-643-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3172-648-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3172-649-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3172-651-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3172-652-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3172-653-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3172-656-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads