blackshades | 3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2025, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe
Size

520KB
MD5

231b70e02dcab0e5f503c58166606891
SHA1

56af8431911a339fcbfa02bd70dfb0a7ac3e63b6
SHA256

3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba
SHA512

5d0dc0beaccb04b0fe8f94937f5d7de6b19e0e941f39bf7dd69404d02ab036ba2d42c9d1f89a554042d383e6d86902ba8446797c0b131009b0f7d3ac201afe3a
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXM:zW6ncoyqOp6IsTl/mXM

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 12 IoCs

resource	yara_rule
behavioral2/memory/2416-690-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2416-691-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2416-696-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2416-697-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2416-699-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2416-700-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2416-701-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2416-703-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2416-704-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2416-705-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2416-707-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2416-708-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\YFXHTTUPNUQFTBK\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YFXHTTUPNUQFTBK\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe

Checks computer location settings 2 TTPs 26 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 27 IoCs

pid	Process
2684	service.exe
1204	service.exe
1192	service.exe
2996	service.exe
3916	service.exe
4916	service.exe
4644	service.exe
2928	service.exe
5044	service.exe
1340	service.exe
3524	service.exe
4452	service.exe
3180	service.exe
2712	service.exe
3924	service.exe
3708	service.exe
4684	service.exe
1496	service.exe
4636	service.exe
3260	service.exe
2652	service.exe
4304	service.exe
2660	service.exe
4216	service.exe
776	service.exe
2512	service.exe
2416	service.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEMDVNJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HCYRWPFPJHKWXFT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CNSLBBDFTBONAID = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBQUGHEMFKYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IWDMVTDAYKEYFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIRNIDCSTQYK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MBVRMAVHWCGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRPSDINAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFDHCKVWSQSIVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGBAPQOWIO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WJKGEGWKRALQBNY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLVDXNSXDECKDHW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COSPDPAXDVUQSEK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMLNIGNIYMT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LRWIFJEMBYCUSBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWTTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XAXFTSENEWOKFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRQSNLSNDRYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BYMYJIMDNTLCCEF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVUWRPWRHVDLCX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XAYFTSFNEWOKFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRQSNLSODRYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXGHSYPNRMTIJBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIYHPDDEEAVQDKF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNSEBFAIUVQORGU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQJPWHIBVACSPPL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDXTOCYJEIYWFRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPCAOWO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XYBLRYYJACDRNMG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPKXNXRPSDINAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QREKRRCVVKTGFSW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FSORVTWHLREBQYP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FTAJWSQBVIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAPQNVHOT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HDBRXPGGIDAJXFT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRTXVYJOTAAGDS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPBKBTLHCSLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWOUNDNGFHYUUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HRNIYRDSCRSQYKR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LGVTJTNLOEJXWIQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LYHITQOSNVJKCJK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJIQEEFAFBWRELG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BVWKXIGLYCMRYKA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YFXHTTUPNUQFTBK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JWDMWUEALEYFVOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBRAISOJDDSTQAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HDBRXPGGIDAJXFT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRTXVYJOTAGDSR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KUQLUGVAFUVTCNT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOJYWMWQORCHMLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LQCAEHSTONPFSAJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIRNIDCSTQYL\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2512 set thread context of 2416	2512	service.exe	207

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1484	reg.exe
3304	reg.exe
432	reg.exe
3752	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2416	service.exe
Token: SeCreateTokenPrivilege	2416	service.exe
Token: SeAssignPrimaryTokenPrivilege	2416	service.exe
Token: SeLockMemoryPrivilege	2416	service.exe
Token: SeIncreaseQuotaPrivilege	2416	service.exe
Token: SeMachineAccountPrivilege	2416	service.exe
Token: SeTcbPrivilege	2416	service.exe
Token: SeSecurityPrivilege	2416	service.exe
Token: SeTakeOwnershipPrivilege	2416	service.exe
Token: SeLoadDriverPrivilege	2416	service.exe
Token: SeSystemProfilePrivilege	2416	service.exe
Token: SeSystemtimePrivilege	2416	service.exe
Token: SeProfSingleProcessPrivilege	2416	service.exe
Token: SeIncBasePriorityPrivilege	2416	service.exe
Token: SeCreatePagefilePrivilege	2416	service.exe
Token: SeCreatePermanentPrivilege	2416	service.exe
Token: SeBackupPrivilege	2416	service.exe
Token: SeRestorePrivilege	2416	service.exe
Token: SeShutdownPrivilege	2416	service.exe
Token: SeDebugPrivilege	2416	service.exe
Token: SeAuditPrivilege	2416	service.exe
Token: SeSystemEnvironmentPrivilege	2416	service.exe
Token: SeChangeNotifyPrivilege	2416	service.exe
Token: SeRemoteShutdownPrivilege	2416	service.exe
Token: SeUndockPrivilege	2416	service.exe
Token: SeSyncAgentPrivilege	2416	service.exe
Token: SeEnableDelegationPrivilege	2416	service.exe
Token: SeManageVolumePrivilege	2416	service.exe
Token: SeImpersonatePrivilege	2416	service.exe
Token: SeCreateGlobalPrivilege	2416	service.exe
Token: 31	2416	service.exe
Token: 32	2416	service.exe
Token: 33	2416	service.exe
Token: 34	2416	service.exe
Token: 35	2416	service.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
2468	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe
2684	service.exe
1204	service.exe
1192	service.exe
2996	service.exe
3916	service.exe
4916	service.exe
4644	service.exe
2928	service.exe
5044	service.exe
1340	service.exe
3524	service.exe
4452	service.exe
3180	service.exe
2712	service.exe
3924	service.exe
3708	service.exe
4684	service.exe
1496	service.exe
4636	service.exe
3260	service.exe
2652	service.exe
4304	service.exe
2660	service.exe
4216	service.exe
776	service.exe
2512	service.exe
2416	service.exe
2416	service.exe
2416	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 4884	2468	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	89
PID 2468 wrote to memory of 4884	2468	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	89
PID 2468 wrote to memory of 4884	2468	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	89
PID 4884 wrote to memory of 3880	4884	cmd.exe	91
PID 4884 wrote to memory of 3880	4884	cmd.exe	91
PID 4884 wrote to memory of 3880	4884	cmd.exe	91
PID 2468 wrote to memory of 2684	2468	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	92
PID 2468 wrote to memory of 2684	2468	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	92
PID 2468 wrote to memory of 2684	2468	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	92
PID 2684 wrote to memory of 1320	2684	service.exe	95
PID 2684 wrote to memory of 1320	2684	service.exe	95
PID 2684 wrote to memory of 1320	2684	service.exe	95
PID 1320 wrote to memory of 3972	1320	cmd.exe	97
PID 1320 wrote to memory of 3972	1320	cmd.exe	97
PID 1320 wrote to memory of 3972	1320	cmd.exe	97
PID 2684 wrote to memory of 1204	2684	service.exe	100
PID 2684 wrote to memory of 1204	2684	service.exe	100
PID 2684 wrote to memory of 1204	2684	service.exe	100
PID 1204 wrote to memory of 1848	1204	service.exe	101
PID 1204 wrote to memory of 1848	1204	service.exe	101
PID 1204 wrote to memory of 1848	1204	service.exe	101
PID 1848 wrote to memory of 3168	1848	cmd.exe	103
PID 1848 wrote to memory of 3168	1848	cmd.exe	103
PID 1848 wrote to memory of 3168	1848	cmd.exe	103
PID 1204 wrote to memory of 1192	1204	service.exe	104
PID 1204 wrote to memory of 1192	1204	service.exe	104
PID 1204 wrote to memory of 1192	1204	service.exe	104
PID 1192 wrote to memory of 948	1192	service.exe	106
PID 1192 wrote to memory of 948	1192	service.exe	106
PID 1192 wrote to memory of 948	1192	service.exe	106
PID 948 wrote to memory of 920	948	cmd.exe	108
PID 948 wrote to memory of 920	948	cmd.exe	108
PID 948 wrote to memory of 920	948	cmd.exe	108
PID 1192 wrote to memory of 2996	1192	service.exe	109
PID 1192 wrote to memory of 2996	1192	service.exe	109
PID 1192 wrote to memory of 2996	1192	service.exe	109
PID 2996 wrote to memory of 4464	2996	service.exe	110
PID 2996 wrote to memory of 4464	2996	service.exe	110
PID 2996 wrote to memory of 4464	2996	service.exe	110
PID 4464 wrote to memory of 3992	4464	cmd.exe	112
PID 4464 wrote to memory of 3992	4464	cmd.exe	112
PID 4464 wrote to memory of 3992	4464	cmd.exe	112
PID 2996 wrote to memory of 3916	2996	service.exe	113
PID 2996 wrote to memory of 3916	2996	service.exe	113
PID 2996 wrote to memory of 3916	2996	service.exe	113
PID 3916 wrote to memory of 3976	3916	service.exe	115
PID 3916 wrote to memory of 3976	3916	service.exe	115
PID 3916 wrote to memory of 3976	3916	service.exe	115
PID 3976 wrote to memory of 2964	3976	cmd.exe	117
PID 3976 wrote to memory of 2964	3976	cmd.exe	117
PID 3976 wrote to memory of 2964	3976	cmd.exe	117
PID 3916 wrote to memory of 4916	3916	service.exe	118
PID 3916 wrote to memory of 4916	3916	service.exe	118
PID 3916 wrote to memory of 4916	3916	service.exe	118
PID 4916 wrote to memory of 3208	4916	service.exe	119
PID 4916 wrote to memory of 3208	4916	service.exe	119
PID 4916 wrote to memory of 3208	4916	service.exe	119
PID 3208 wrote to memory of 1768	3208	cmd.exe	121
PID 3208 wrote to memory of 1768	3208	cmd.exe	121
PID 3208 wrote to memory of 1768	3208	cmd.exe	121
PID 4916 wrote to memory of 4644	4916	service.exe	123
PID 4916 wrote to memory of 4644	4916	service.exe	123
PID 4916 wrote to memory of 4644	4916	service.exe	123
PID 4644 wrote to memory of 4292	4644	service.exe	124

C:\Users\Admin\AppData\Local\Temp\3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe
"C:\Users\Admin\AppData\Local\Temp\3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTYFGD.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWUEALEYFVOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBRAISOJDDSTQAL\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3880
- C:\Users\Admin\AppData\Local\Temp\IBRAISOJDDSTQAL\service.exe
  "C:\Users\Admin\AppData\Local\Temp\IBRAISOJDDSTQAL\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYOPM.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XAXFTSENEWOKFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3972
- - C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe
    "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLOPVB.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1848
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FTAJWSQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOT\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3168
  - - C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOT\service.exe
      "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOT\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1192
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTBPOA.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:948
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYMYJIMDNTLCCEF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCX\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:920
    - - C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCX\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSEMEH.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HDBRXPGGIDAJXFT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3992
      - C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYKIMH.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KUQLUGVAFUVTCNT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDXBNK.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVWSQSIVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQOWIO\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQOWIO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQOWIO\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYOPM.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XAYFTSFNEWOKFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSNWN.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXGHSYPNRMTIJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAUJWH.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQCAEHSTONPFSAJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSENEI.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HDBRXPGGIDAJXFT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAAGDS\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAAGDS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAAGDS\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVBTXS.bat" "
        13⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WJKGEGWKRALQBNY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKDHW\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKDHW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKDHW\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
        14⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SEMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWXFT\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWXFT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWXFT\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCLCWA.bat" "
        15⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HNSEBFAIUVQORGU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYRXJF.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNSLBBDFTBONAID" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNLPKS.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDXTOCYJEIYWFRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
        18⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBKBTLHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUUC\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUUC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUUC\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRSXEF.bat" "
        19⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IWDMVTDAYKEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYK\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYK\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOVLJN.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAVHWCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRRCWV.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "COSPDPAXDVUQSEK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
        22⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRDSCRSQYKR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBXQVH.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XYBLRYYJACDRNMG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWQIOA.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QREKRRCVVKTGFSW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTOXOD.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LYHITQOSNVJKCJK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVKYGP.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LRWIFJEMBYCUSBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempACESA.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVWKXIGLYCMRYKA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YFXHTTUPNUQFTBK\service.exe" /f
        28⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\YFXHTTUPNUQFTBK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YFXHTTUPNUQFTBK\service.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\YFXHTTUPNUQFTBK\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\YFXHTTUPNUQFTBK\service.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        30⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\YFXHTTUPNUQFTBK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YFXHTTUPNUQFTBK\service.exe:*:Enabled:Windows Messanger" /f
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\YFXHTTUPNUQFTBK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YFXHTTUPNUQFTBK\service.exe:*:Enabled:Windows Messanger" /f
        30⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        30⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        30⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempACESA.txt

Filesize
163B

MD5
ae9f84bfa6686f6c711c79361c522741

SHA1
e7d34a82f503f47d1c387d59fba18ebefb68bdf5

SHA256
c79e3108f4a8d81fdca4d9ee3965b2654ce1ab9b94a03a8f8fe9a0e0294b4694

SHA512
e0b9b043b5f0d3d1fb296d0deadeb3459b97d06a8a21808525384c4f95ee12ceb5a8d4a291a4e2260fab714c223eb3a5f83b2b52587227ae0dc798d852bf6204

Download Submit
C:\Users\Admin\AppData\Local\TempAUJWH.txt

Filesize
163B

MD5
71ea1d0776e7796239b18faea3c28241

SHA1
fec92955c3180a0e39ed7c94a493ff409d67ea4b

SHA256
26e2fc25fc5e20446729ceb8d7b4155e4801a3fd2670bd1f82d871e443b383f3

SHA512
d0a690fc621fd6b188e9eb1f663b94510b00ad8d1ea3ef6ab4157272fa97f5481055e22b4b28042f1eef1cf87f1ce87ed9e7bed2fb34e86a34db3295efc520fa

Download Submit
C:\Users\Admin\AppData\Local\TempBXQVH.txt

Filesize
163B

MD5
0421624f831bbfbc55712498f7ac30f1

SHA1
2f08a37e248d3dd392af140a8abbc5843fbf8122

SHA256
27663237f1252562de4d6ce1a91f02515be5be04b426812066ccec990a2bc963

SHA512
e46addad1851c2deeef2536d79763f1932a64b53473683915f1a9e5ca188504df1df8890a0b5035b7f745b656700bebcd50c3c7750dbfa8533e99be8dea0f929

Download Submit
C:\Users\Admin\AppData\Local\TempCLCWA.txt

Filesize
163B

MD5
bcb88f7e3556a0b5270d8511808481c2

SHA1
352738a9818334f8d297d48b579536a7c3046903

SHA256
5255fd37b7838d9be5d064d9db9d4b79d3f55a44305ef5278aaa6a84bcc2be94

SHA512
de4335dc687dadf0b7cb1e35b2c57e817041c9dccf6cb7fc56e2a3be3262bcbaf71d3d3cca9c626190c551d1fd85c09d89b22030906cae2254eca0f599980873

Download Submit
C:\Users\Admin\AppData\Local\TempDXBNK.txt

Filesize
163B

MD5
52c6f0a334f196e2d35bb2b75311aeed

SHA1
ebb3ef129d053153da545b1206024e91ef3a55c9

SHA256
330c7a65496b53e96367e491d0fff9e160643e85bda816381ee2e16cdcd19b3e

SHA512
2e4a8fa85c8eae8e4c3df02054fe7687cc68da35859fb80b9ac9b8257cc93dfe22a7969ab64ac7cc89a71a7c6c22a9914ebb021b9d4df58aa5e389c6fbbcd10a

Download Submit
C:\Users\Admin\AppData\Local\TempJSNWN.txt

Filesize
163B

MD5
15285851233d61e2a688de9c160730fd

SHA1
06b9b3802c61ba94d8828729ff9d7aba3da7e27d

SHA256
60bf2801ea6c831308a9257254fec51748f911dd5a3f1f384f31f1515ef6afce

SHA512
90a29fdefa94fab43a002dee8ab95449b626f3db30189662f5ebbc5aba313f3d63e9dfb7687b067e766f4193f72f4d5155c68302c34c7759e92c6e52c7326c31

Download Submit
C:\Users\Admin\AppData\Local\TempLOPVB.txt

Filesize
163B

MD5
ad57839d6044e572388bc37b29c111c8

SHA1
20cc31c9df1d31a9e2eea260edffd7eb56c08698

SHA256
3a27fd81336cb7753069a7121fc8cac717c4b4f8342c67c2a4427098b9fcc844

SHA512
0109ad9fc45b5719ed3c9b1dc0c0f435f3da202dcc2aed1e3bc511c531ed7ac861a0b610fd6203808d06b1a2a2d3f23a6588492370546835ab3aef2a661e613a

Download Submit
C:\Users\Admin\AppData\Local\TempMJSEK.txt

Filesize
163B

MD5
033c9d9af7265975620041d538c5ad79

SHA1
4545e285f2945b9afdd79a27607fb949adbb69ad

SHA256
9cb2e115ccd62291710df35e8203f70435cb3d32b38085ab5fc91452b1bfa785

SHA512
282d8a0c0091a0e6eacb5cb6dae73669aafe8eb6344a6df4800b85206f592f5cf2c01204bab0bcea4f34c9bea5cba04d48d88c97537af74ed8b17562ac917c1c

Download Submit
C:\Users\Admin\AppData\Local\TempNLPKS.txt

Filesize
163B

MD5
7e488893ead94784cbfdb3cad2be1267

SHA1
e179fa18b240c727b240a45d068e0eefb474c166

SHA256
4a63114693dfd3e67f87986e7bb37d64c885329c0817c3334b10ae87c5143cac

SHA512
2ecb16b534c6209b89d2f1cab3c7957d914228ac4c2bf9d3057150835c8b02638a25fa5350cc2d0059af153bffbf0743af9f08e0ded6418660079f0e9162ffa7

Download Submit
C:\Users\Admin\AppData\Local\TempOVLJN.txt

Filesize
163B

MD5
cf95fe0813601aad06d04cddf6099776

SHA1
9c65e8c1dd65d5b1879180b13a7147a336755ec2

SHA256
8f7145662cd11c3071ef83a03522248ac6418d9b33037d925a3a1ce91943ae8a

SHA512
9d45b45413e5f9113ede89a5fe5e319201d331e6fa4aab68531e4d8232843e2279e61574257ebb62037ffb2f3c1d3fdb1908e78ee1a0c2c9e6ba05fe16a81d27

Download Submit
C:\Users\Admin\AppData\Local\TempPYOPM.txt

Filesize
163B

MD5
cad82b8eedd4e8c1540b083120eb9516

SHA1
0dceea9f9586f8ef0a74fc79af9d69b292c8d28a

SHA256
0ec70c733ab36052c4d0ef68aaee26fba15c2a1f31e5e045c6273bd3506def1c

SHA512
2bf2ee260bf4111b4d8a9e468996be3d4bd1f4e62e8fae9335b3aa428df2d2d19d60a601141f859d3d72637eaab2f977d60399dd2f090ec60885b3c56313bbfd

Download Submit
C:\Users\Admin\AppData\Local\TempPYOPM.txt

Filesize
163B

MD5
fc544ef2bfd21eec92b7deaee3d7942d

SHA1
f73e20453737667470c1457962db808a247a234b

SHA256
12a3d89c11baa9d825951357f9f3c119431fc085c4e718efceaabab22e56e836

SHA512
627b3c704033c11e1152d9d75ee86654f3224675e2e6dff41460c5452011209f9ae25dda7f4c4a78d8b6254aa8463d089bf2dc74177f30aa58e064baf712a007

Download Submit
C:\Users\Admin\AppData\Local\TempRRCWV.txt

Filesize
163B

MD5
2055c28d67c603566c573f006d91d18d

SHA1
e5fc25e8fc106538c80f41f6be384afc1db3d4f0

SHA256
e1946eeb933aee503dd39a2fe33a8f8b7372512e51e828780974466d6e4eaf68

SHA512
731035f0c9662feb5430e366793da63a8fd518c59a63d3c86984ed138870649cad2775944827636ef66bcc5b7faf7e6a1d0692f9d579c7c41c3d925fd58780bb

Download Submit
C:\Users\Admin\AppData\Local\TempRSXEF.txt

Filesize
163B

MD5
838e5fbd1da29401a5a665f007846f2e

SHA1
d036fcdeb4083d1e8bf7f26d9ab5b32c2195b56f

SHA256
3dd253043f0e48a4e1efe6ee82dfda287a1de8345c7da885ac7c59719f3635e5

SHA512
a43da089cbb2b6b2a896fb8bca33bbd9a9b006f7bbd98c373a6b8845ac3fe67f86275452607b1500de276a1efed7d8be321f870beb0dbf79ce6e87aa1c993831

Download Submit
C:\Users\Admin\AppData\Local\TempSEMEH.txt

Filesize
163B

MD5
b67a8c04236eafed35a35ad909b1a4a7

SHA1
469ac234a2c09e4172fd517582978815621315ce

SHA256
e4063c5f22b74b0fd10f0820a522bd5467c98c32f6a2506e355072fdfbdd605e

SHA512
87dee30a15c5ca161e3705f572151a4829e52e6b73f288a2bc6d9657c3e75fc2b5ca49b2f1d314c48a304cf9952d0c2957d80df9f9e9ab8af3f2d3c4c5d41fea

Download Submit
C:\Users\Admin\AppData\Local\TempSENEI.txt

Filesize
163B

MD5
00edfe5a836bf7e1ef2e4dacf2803faa

SHA1
3209391da6fdb6591b2b9e808f303dacac46a0d3

SHA256
e5acfd6fa9cf9a62820fa09bd88a9163b9b473434b6fc079105d6ada2553230c

SHA512
4eb3e46916b0abda902aadcc9c74ba551d524d97f6fa38eca1cf5f08a3fcf1e3fd40ddef3a22997d82a361589249349955932f3c464a87b0dec44429add91139

Download Submit
C:\Users\Admin\AppData\Local\TempTBPOA.txt

Filesize
163B

MD5
7c081997f271a32cf8a8b75b75b4aba9

SHA1
4e072863bf7aad3a25532ed3b8d95e7227a401e5

SHA256
2e9d5e16a773e9755b3d13f818ec087910adb685d56bfe8b37cb2108a784f1a4

SHA512
331c7da2c6d99cb26ed9e7395805b8c233fb37b8efccfdaa1a0441b9d63d7c75997dfa829ca65db1a6876da2f10eee32b2666a146faf39721a657efcab87ed4d

Download Submit
C:\Users\Admin\AppData\Local\TempTOXOD.txt

Filesize
163B

MD5
b79b5b8967fa6957d3821ec5056eb10a

SHA1
9842bfcf4b72c602fecc45e7dd2d698fa60e1c6b

SHA256
4b30134ac7901bf1986499b1be2a6fbfa82b1fee0ce16011bd77362f748cfa51

SHA512
0124d0b3af16ff4cee270b6175f55261bca89729aa15754ed33fb2a5b9441a7ffb10c0ea5b7bee446450b04d1ecccaf4fe65b84c5d8403eb30c16099e3ddf274

Download Submit
C:\Users\Admin\AppData\Local\TempTYFGD.txt

Filesize
163B

MD5
55bd06580e63a7d823c402e3d20737c4

SHA1
9a320df48d03746551ceedc83287f4700703f7ca

SHA256
287a2f968633cf190d135cfc4b3ac941701bf2ac41c744790e935db3594d85ed

SHA512
6a50e343f9746be05ef1ce645980d9cc1c4a96f7cd258031c4a8bb70343bad98a2f4b174c156be0fa3cb4012901463639ff87b4e9dc2e28a2b2a03db823db9b9

Download Submit
C:\Users\Admin\AppData\Local\TempUGMRD.txt

Filesize
163B

MD5
910990c6e11f224c375f4c63e06c575f

SHA1
8f46b6ce9fa641cf0b16fc9c22b4e83982019bed

SHA256
22bc7098f233a44ac609cdeeb09d5a63bf0fc2bd293ae7ab0d04e262aa9c52d5

SHA512
fe0f325ff57c3cd28b2b59444eef55f075e5c1125fa3c26e4136bed3e0cec80e29efcba725092c92f52371746142232190c1edf4a84b747f17d7cf53e447e253

Download Submit
C:\Users\Admin\AppData\Local\TempVBTXS.txt

Filesize
163B

MD5
d60e814d6fe7e9ab7d77a6faedd1edfb

SHA1
631e16e188395e018e7c5c59ee7c98ab0d79d2eb

SHA256
d05e1c31db971c55a0ca594b95bdbd1dede720ea3427ba148b843495a486be24

SHA512
d3a0df75a67f76a5578541d750e44e44def4d6952100e93fe75de1b1e545e5d44472ddf0566c817318e41ced5a6392b3cd21b4621ced16ce6188ac27b1c1890a

Download Submit
C:\Users\Admin\AppData\Local\TempVHFJE.txt

Filesize
163B

MD5
28fe07dfcec0e540f74d062a85544129

SHA1
c4391211562d65b510d480337498a0e07c8b8ee0

SHA256
53d19840efa9f0829edbaabb532a5a11382ee810cd48a2f6b7daae3e750228ac

SHA512
9ae5a194936ba7ebf3b6894639b34e4d2405a87b2026a82dfb73112471c1e3328dfd898ac9688fc4d08248b2d4af87d83db75a85eb9eaa81ce1fc22af8c25ba2

Download Submit
C:\Users\Admin\AppData\Local\TempVKYGP.txt

Filesize
163B

MD5
4b33517addb52d5f22d58d74afd828a8

SHA1
05323da539167ab1ff8c372e95d78321566d1fca

SHA256
69530345c44d17603c90e3a02b05968a0ef04f08050a356b844f0338fdc4f6b2

SHA512
491ab97e7d47fdbfab7d7fb25e17154b8e005163de113d26a94f8f165f1f38b5cba825945d617c09958b2931ee5e53a1492709ecdf8e973f75c5ee1be9b6edda

Download Submit
C:\Users\Admin\AppData\Local\TempWQIOA.txt

Filesize
163B

MD5
3eb0505dc48b58a40f4b69e0e091e3de

SHA1
b6208ef39dcd66442769ea1cf97b419d576f6116

SHA256
d509de7cb2741c0697ad7ea9db923c66aff2f40aa7b7ef1d49ef1ec26ef657e3

SHA512
aa26850168520988305fdac6a699beda9c29f6a9ed4f6583ca74858a3ae4bc315b046c84f835a5511ea89289ab52e0fe3ca809ed69a7c94b9e235819f1538048

Download Submit
C:\Users\Admin\AppData\Local\TempYKIMH.txt

Filesize
163B

MD5
ffc855aff102d74ae673fe8eac8c2e70

SHA1
d68a015334a2510a13d74d7d7391d88fccc0a141

SHA256
eb798d686427248292fb0d88fdd4d552666ff67f5e040f078cca0cd33485cbf0

SHA512
1f257e4af2b78838845681020a1f8e91cdac1889f4b87fcd68b8cceeb115873ded4d32bdb6db3eefb94c8f8422be3f45d018db558bb003cb09815c35f0aa8d44

Download Submit
C:\Users\Admin\AppData\Local\TempYRXJF.txt

Filesize
163B

MD5
8ab67a9bfa46da328e79123f02e1e704

SHA1
f2080491b1020520be3eb69e10749e2b78a58691

SHA256
8748b5563d586b575d5743fa707e11b83a8f2ce3c37df25be2cb9fde69578cbb

SHA512
8811b18b0cea78156103fc6b2c38cca9838fec251069fde26418d2d4e4e264a4031e9d5a6461bd30de9400353497bc269a0fc4a6e4bfcf314b39d24ec5afa5fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe

Filesize
520KB

MD5
ba8c71215058798606f2e2566e4b185c

SHA1
92ada04f91ea5145dbf68b8c71bc33d615429f13

SHA256
d4e41fe059f787794d0ad5bc9b9334c008218055d11a85c21e38857c880922c1

SHA512
3bb94dd73b43406d7a69db73b84733b998c3b4e14069514f7201ba72e34c5f212793345977a9e3a4bfb5c61178b25f77f7bd27eb2c09bd922a251d90f9ed69da

Download Submit
C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe

Filesize
520KB

MD5
880a0ad5ecf29defd667dd337162a192

SHA1
6e72d108c7612384f86950685e5e44367ad3e94e

SHA256
7ef1f7674a949e51c6a0e8bd8d7a733b37052a3d2e4133900d6e1f31f3c42c49

SHA512
97a5a587b1ba5350c9391a665a829a9edd3af0b556af90454c5201cb62781f0055436b1ee95ee7a460ea6d8459613a1ab972734580166261b134e364e893ffbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKDHW\service.exe

Filesize
520KB

MD5
929a78a80ec2b79a5112ba63be2faa74

SHA1
5face7d68a9d1ba06515a7e4f8379772773b51ed

SHA256
8f26f41dd10b68b244ea0ff668b1e71f19ee8e0ac6c87f4cb0e5389b36a31764

SHA512
6f2c66f796c23eb2a35aa9f68451b77379b9275f4e528e7e4fa60c304a466c189d51690b926af5bff671e3e762f2639676c80eaffce932f4afcdeaca556a1f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe

Filesize
520KB

MD5
591322fb0eae580d0acc28cc801c482f

SHA1
6495027da02fd69e726df2512258077dcaf19af9

SHA256
691edd63f7b194ea4f61698c3c0a58fc32a84a95397d0f10c4f32b73b726c334

SHA512
a569666b3ba1a9b4ea95b48a8e68f3de29ce681706a94a853ff583ec0f1318865fa9734fb1c6e54358a25edd13f6955aae490099517cd4ce9580cd142a34aa5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUUC\service.exe

Filesize
520KB

MD5
cde127844ec4561f8bb41ad6b7e1b149

SHA1
ae3e083e7696c9eb818a1a1354a5cb2a33258d5a

SHA256
0bbb2f8da86b457148fcb5d9b78089d9aff74d50c5c2049d58be153c4914aad4

SHA512
b7edffd27fe1c639baa58bbe4e6a9e2850f7d90b5a7c493b8d4be1b3ae5f54faba200f86c0a11b72b2924ba88356f0215abab6d9f08b92400ebf1052764ee2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe

Filesize
520KB

MD5
b53595c6682051fc409201a710ce8c7e

SHA1
06927d94f15a896c2645a5be4e5d6db41bdb8dca

SHA256
f2975e9114f9ff2ef15a63be1519255ff6e0edb11dfaec444ec3fd35a0148b44

SHA512
a8ee50157ffcfa93e506ab3310a35a7925fb98381032e8adfcfcca393b529b2a9a6beabfe2b77eaf172a783e1de2919df70ba0d295106a56ab2945ed3e420c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOT\service.exe

Filesize
520KB

MD5
8b9082551ad17d58ed6e42adcede23cf

SHA1
8825b2d30a042c42962610a44c47341276486e89

SHA256
936c9c170e36c1faa6ac2509a5ea7f16b0b165cb06a9dcd18b5a5e5a60898572

SHA512
010b4a00fedb0b171710ab317d86aa7b00d942ab25f14fa7c3e4c09a5058fe022524c5727215001734ef1c071dd0968ceaf063893a8c672eef0c0968d0e775ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCX\service.exe

Filesize
520KB

MD5
096479d5d98c2acf32a5198e56605853

SHA1
e4aa9e5a920cba5668b24b0bf1cb756fd7d534f3

SHA256
9c3be26d77982bbd0cd0b33449bfd68a1d815e728da49160f58e63347767f870

SHA512
7d77a5612ba848e7c3576c9011a8358a17d92e49ab8151f75f9fc696cf7525ee7c6c41d1b75bd0adcd3d8a1d7b177de7cbb50a9dd22f3afa7b66b91d90d6ff35

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQOWIO\service.exe

Filesize
520KB

MD5
1fff813527eec4133fbe9b2f383b1352

SHA1
72293bd02a3991f43f28375f01e80585350eacc5

SHA256
4bedab9e8ab62bc448a20650eb3ed4240dbde394391c6ba5bcbddc2f233e5add

SHA512
0678f77ca3c6a9af0731b291a3176543c25fca515e3c07754aa17d9d88836a14a50a2b9d7a56db14872fb765ef1657c93330073d85e7b80511ae57050496b253

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWXFT\service.exe

Filesize
520KB

MD5
6a5da93ff0a2606a44fcca47acd95d07

SHA1
d10e5f3b67b5860184bfa7c873c671a2bc6cebd0

SHA256
e6b0e58f0310759613ca373d9400c393d4f0cb2352f43c4c0ab51227b21780bb

SHA512
f84b80cb35b8097213e9d09bcfda42085a90c9d1ef5bbf2690e3919dbda635fed324fcef201f88cfd03b7b90f16f6f4b0e7dbffd95a0c180e387db41612272a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAAGDS\service.exe

Filesize
520KB

MD5
855b3dbb228796298fb291151c9fa039

SHA1
0b276e02aa42a64cc8aa65b98a2c462364d6bac9

SHA256
28586c5dd40710d6c21010da8bdc4a144a28af7799e7b0e37911e6c8327df6d0

SHA512
b14f8fe290a88f35fcc22df9ef12ea4a4a11518b4fa4fbe09b4d4e881c7467563bd7f3e0ec109037dc470dc89dd5daaaf6de08a37af152c054c8d9041d5aa17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe

Filesize
520KB

MD5
c35cfdab512e941df0d6f41cddc7dae6

SHA1
3581182ca9fa87c7ec57dd6a29e7e254053a9981

SHA256
489c821e3bfa13c648f96921eccd4535f32a6bfd2f08f4e1bda7a133c7d88f43

SHA512
fd1e6fd9278046642f09d90542731eb740ae9edb1ebd3841e1a186a7543087475ab42fec88aed70c4b9c6dd5f5b2eeb6372047a75044db90c5a95334d62f7655

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYK\service.exe

Filesize
520KB

MD5
1cd0559ffd04092740a6ae4cc9a5bb3e

SHA1
dd75f341d92b4380ada684bc8164f6d198b2ef3a

SHA256
5bff2f4f0fb70f4fd68b98b6d7eaa6a87a83c419a542facf455aeaecc5466bfe

SHA512
ca0061718635fdd8d5d565a1bd1433eb606db5282ebb50883c27eda8e8695ea99de88e63741bbf873d7e12e317ccd4a33ad6ee5228c5918a4f6c9ba4d1a9b411

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe

Filesize
520KB

MD5
87ae8f889d133acaec8936bcd9130685

SHA1
e1a7d9918d68ef5e20385bafaaca492e07265767

SHA256
89d2cfde0a1b3112f02c8b0de1316652963591210f46a1974b7088950874cbcf

SHA512
d3bbb1926f8d1d28fb03124b81b2c8036d619cc9d2d457091c36803718b9e410484a20834e3ea035ab7c514385ccb58d2aa003ad8b410da2afc395195dbc6fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBRAISOJDDSTQAL\service.txt

Filesize
520KB

MD5
bd6721d552f002d5f99af0dd5bf75eab

SHA1
3d4dca33e82f347570a61390cd230a6ea830b21b

SHA256
cf2042374559fa2254ff8a7d7b7476196691b250900c28a898c8251bb4369f9d

SHA512
29034e94a62387fd176912dc6bf9d709b06b29b3be70567958dd88e26924cb063efdeac5e45e66d6c83203136c5910843edd5a3da06370d6f5f342cacaec8f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe

Filesize
520KB

MD5
9c36955d599c5da6e08683c0b5678f49

SHA1
7f3ef83e3fdb077d6b561bb2e695d8649b5c69ea

SHA256
e534c9c42b7eade39ec2572fbac7e8227eeb64374931d7ab68c7c5888719a751

SHA512
e6658c23d929a8db49d3ecad6b549dafd6c2ce468ceaf2d952a31873c45ff6b586efd9e0864f6110302853cb914aaea073b1e411b58811095d3e5ffee79e929b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe

Filesize
520KB

MD5
f8e49a3a8c2ab9b47805fbabedac71d0

SHA1
6061c9982234a2812e889ff37736a299fba47ed2

SHA256
9a3b878e600aa37e8d7857a5fe22db455563621331785cb9b445c6d37f887824

SHA512
6ea831bc8cb95dc47676e1d5e283de742089af5805acdd631a0cf4a118929d13b60bd2d29ff5d9f492e60662bbdec5f7019add2e714f47cb3d7eb4816f7469b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe

Filesize
520KB

MD5
235a3ff4736af5ba16b8c1245987f494

SHA1
ecb0006943c361072645e74e151a9d720294ba7b

SHA256
37f1d39efbb9ff540cfa693830b94c354269fa79377f0031ecfeb9ca9ad6b882

SHA512
acd1c9e5544b627f2d389c126aab7b37dbd04789afe0d0f3ff6e9f5b972225d1919fc36bcc4bf3fae25bb851b2d00ea6aa1d0dd6bb1d634a3a3d1ce826d0880e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe

Filesize
520KB

MD5
7eb3280ef5947a2cf41b3dfc3e186ecd

SHA1
ee383599d135149230fe2c0459c282cf8f28ef81

SHA256
d30ef60a60534ee79f590ee05fe261b7178ce019b5dc8e0ec9fb65d8393cdb1c

SHA512
1ea62989e4722af5fa627a1a3ad326a9f9baeaba3fa8561f404a322316b3c3a75d6420c8d2ff610240a16f368561db4b773067235106da06a3b1993a18a60f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe

Filesize
520KB

MD5
dbd92b75e9c3b982ffb369c96336cea3

SHA1
b7a85d64f6aaa4a1679c30c1418464b1c3ce598e

SHA256
27f027ab0ab6213b29fc986c5cc8933ff959a33d86dac97eb285322cdffdcf62

SHA512
664c52b4a0aba924abec9df64c265c1c19e49f02089c962053aa0b014d694618f48695e6bdf0ec58ebb5d0105d543e607feb0f37cd925eba6217c7c32071ebdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe

Filesize
520KB

MD5
db2258711a8c9b7089ace57c9c485d1c

SHA1
c07c4fea1054415992f21300867fb2964c6b4d2a

SHA256
947f75e33c5e8da8297ed3860b1928699abb581b00dbd0c13803fb81b3226b00

SHA512
3e2be9628b1441f6117cc5f2c8bcd7b8d1287d72412036717131a2b0120c95806b97c267cea9bba1132676827f07bada0c7b993c23d4062a5796e99c1360a293

Download Submit
memory/2416-699-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2416-691-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2416-696-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2416-697-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2416-690-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2416-700-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2416-701-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2416-703-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2416-704-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2416-705-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2416-707-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2416-708-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads