blackshades | dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4

Analysis

max time kernel
131s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2025, 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe
Size

520KB
MD5

90fac165caf2ed6420d2a6ac3857170c
SHA1

9fb56c084bd4b26daaa4ae8feca5c8daba9163d7
SHA256

dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4
SHA512

be4a6ecda08d15008fd37ab554773cbfe06b7ffeba206497180f0e289749ca60cbfd93afbe8def403c8d910b74e809a4b89015430ee69f06c0491f57db9c0f8b
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXG:zW6ncoyqOp6IsTl/mXG

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 11 IoCs

resource	yara_rule
behavioral2/memory/2304-643-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2304-642-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2304-648-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2304-651-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2304-652-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2304-653-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2304-655-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2304-656-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2304-657-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2304-659-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2304-660-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIJCWADTPQ\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Checks computer location settings 2 TTPs 24 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 25 IoCs

pid	Process
2580	service.exe
2512	service.exe
3492	service.exe
872	service.exe
2312	service.exe
3520	service.exe
3228	service.exe
5048	service.exe
3212	service.exe
1132	service.exe
4736	service.exe
4012	service.exe
4952	service.exe
2544	service.exe
1968	service.exe
1564	service.exe
2576	service.exe
1160	service.exe
4744	service.exe
1832	service.exe
2784	service.exe
224	service.exe
1116	service.exe
1692	service.exe
2304	service.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CYXBOESOMRDRTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYNHAGNWMRJRFQG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WTSWJNJHXVMMOJC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICBIRHNEVMALB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFNEWOKFVOAPYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDSXQGQKILXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OPLJLBOWFQVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTORVTWHMREBQYP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OBNVMABWSNAWIXC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLDJQCCPVNVJTK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COSPDPAXDVURSEK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMLNIGNJYMT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NOJIKANUEPUERCA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPCAOWO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FQSNLNDRYHTXIUF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KFUSISMKNDIWVHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UITJFERHVRPUGAT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VCUFRQRMLRNDQYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DFABVQELGKYHTPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVUWIMREBQYQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDYDQGUPNSFSUPI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJCHOXAAOTLTHR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OPLJLBOWFQVFSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESXIJGPBHMAD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LIITQOSNVJKDKKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RJJQFEFBGBWREMG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SHRHDYCPGTPNSES = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQPRMKRNCQXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLGPYWHDOHIYRUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASKQXIJCWBDTQQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JXWIRISOJSDTDST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIJCWADTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUCDOULJNIQEFYW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAAVBRMHBGV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FKYXJRJSOJTEUDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXBEUQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NMGPXHDOHIYRVWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VXNHAFMWMRJRFQG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XLMIGIYLTCNSCPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENWFBPUFGDMEJYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DEAVQDKFKXHSYPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FSORUTVHLQEBPYP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KYFOXVGCNGHXQTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XRJPWHIBVACTPPL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GGTAJXSQBVIBVXC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPFLDULJAU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIIKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDJARIHS\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1692 set thread context of 2304	1692	service.exe	201

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1708	reg.exe
1136	reg.exe
1988	reg.exe
2092	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2304	service.exe
Token: SeCreateTokenPrivilege	2304	service.exe
Token: SeAssignPrimaryTokenPrivilege	2304	service.exe
Token: SeLockMemoryPrivilege	2304	service.exe
Token: SeIncreaseQuotaPrivilege	2304	service.exe
Token: SeMachineAccountPrivilege	2304	service.exe
Token: SeTcbPrivilege	2304	service.exe
Token: SeSecurityPrivilege	2304	service.exe
Token: SeTakeOwnershipPrivilege	2304	service.exe
Token: SeLoadDriverPrivilege	2304	service.exe
Token: SeSystemProfilePrivilege	2304	service.exe
Token: SeSystemtimePrivilege	2304	service.exe
Token: SeProfSingleProcessPrivilege	2304	service.exe
Token: SeIncBasePriorityPrivilege	2304	service.exe
Token: SeCreatePagefilePrivilege	2304	service.exe
Token: SeCreatePermanentPrivilege	2304	service.exe
Token: SeBackupPrivilege	2304	service.exe
Token: SeRestorePrivilege	2304	service.exe
Token: SeShutdownPrivilege	2304	service.exe
Token: SeDebugPrivilege	2304	service.exe
Token: SeAuditPrivilege	2304	service.exe
Token: SeSystemEnvironmentPrivilege	2304	service.exe
Token: SeChangeNotifyPrivilege	2304	service.exe
Token: SeRemoteShutdownPrivilege	2304	service.exe
Token: SeUndockPrivilege	2304	service.exe
Token: SeSyncAgentPrivilege	2304	service.exe
Token: SeEnableDelegationPrivilege	2304	service.exe
Token: SeManageVolumePrivilege	2304	service.exe
Token: SeImpersonatePrivilege	2304	service.exe
Token: SeCreateGlobalPrivilege	2304	service.exe
Token: 31	2304	service.exe
Token: 32	2304	service.exe
Token: 33	2304	service.exe
Token: 34	2304	service.exe
Token: 35	2304	service.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
2516	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe
2580	service.exe
2512	service.exe
3492	service.exe
872	service.exe
2312	service.exe
3520	service.exe
3228	service.exe
5048	service.exe
3212	service.exe
1132	service.exe
4736	service.exe
4012	service.exe
4952	service.exe
2544	service.exe
1968	service.exe
1564	service.exe
2576	service.exe
1160	service.exe
4744	service.exe
1832	service.exe
2784	service.exe
224	service.exe
1116	service.exe
1692	service.exe
2304	service.exe
2304	service.exe
2304	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2360	2516	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe	89
PID 2516 wrote to memory of 2360	2516	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe	89
PID 2516 wrote to memory of 2360	2516	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe	89
PID 2360 wrote to memory of 1596	2360	cmd.exe	91
PID 2360 wrote to memory of 1596	2360	cmd.exe	91
PID 2360 wrote to memory of 1596	2360	cmd.exe	91
PID 2516 wrote to memory of 2580	2516	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe	92
PID 2516 wrote to memory of 2580	2516	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe	92
PID 2516 wrote to memory of 2580	2516	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe	92
PID 2580 wrote to memory of 4812	2580	service.exe	94
PID 2580 wrote to memory of 4812	2580	service.exe	94
PID 2580 wrote to memory of 4812	2580	service.exe	94
PID 4812 wrote to memory of 3700	4812	cmd.exe	96
PID 4812 wrote to memory of 3700	4812	cmd.exe	96
PID 4812 wrote to memory of 3700	4812	cmd.exe	96
PID 2580 wrote to memory of 2512	2580	service.exe	99
PID 2580 wrote to memory of 2512	2580	service.exe	99
PID 2580 wrote to memory of 2512	2580	service.exe	99
PID 2512 wrote to memory of 3472	2512	service.exe	102
PID 2512 wrote to memory of 3472	2512	service.exe	102
PID 2512 wrote to memory of 3472	2512	service.exe	102
PID 3472 wrote to memory of 2696	3472	cmd.exe	104
PID 3472 wrote to memory of 2696	3472	cmd.exe	104
PID 3472 wrote to memory of 2696	3472	cmd.exe	104
PID 2512 wrote to memory of 3492	2512	service.exe	105
PID 2512 wrote to memory of 3492	2512	service.exe	105
PID 2512 wrote to memory of 3492	2512	service.exe	105
PID 3492 wrote to memory of 1776	3492	service.exe	106
PID 3492 wrote to memory of 1776	3492	service.exe	106
PID 3492 wrote to memory of 1776	3492	service.exe	106
PID 1776 wrote to memory of 1496	1776	cmd.exe	108
PID 1776 wrote to memory of 1496	1776	cmd.exe	108
PID 1776 wrote to memory of 1496	1776	cmd.exe	108
PID 3492 wrote to memory of 872	3492	service.exe	110
PID 3492 wrote to memory of 872	3492	service.exe	110
PID 3492 wrote to memory of 872	3492	service.exe	110
PID 872 wrote to memory of 404	872	service.exe	111
PID 872 wrote to memory of 404	872	service.exe	111
PID 872 wrote to memory of 404	872	service.exe	111
PID 404 wrote to memory of 3252	404	cmd.exe	113
PID 404 wrote to memory of 3252	404	cmd.exe	113
PID 404 wrote to memory of 3252	404	cmd.exe	113
PID 872 wrote to memory of 2312	872	service.exe	114
PID 872 wrote to memory of 2312	872	service.exe	114
PID 872 wrote to memory of 2312	872	service.exe	114
PID 2312 wrote to memory of 2384	2312	service.exe	115
PID 2312 wrote to memory of 2384	2312	service.exe	115
PID 2312 wrote to memory of 2384	2312	service.exe	115
PID 2384 wrote to memory of 2112	2384	cmd.exe	117
PID 2384 wrote to memory of 2112	2384	cmd.exe	117
PID 2384 wrote to memory of 2112	2384	cmd.exe	117
PID 2312 wrote to memory of 3520	2312	service.exe	119
PID 2312 wrote to memory of 3520	2312	service.exe	119
PID 2312 wrote to memory of 3520	2312	service.exe	119
PID 3520 wrote to memory of 4672	3520	service.exe	120
PID 3520 wrote to memory of 4672	3520	service.exe	120
PID 3520 wrote to memory of 4672	3520	service.exe	120
PID 4672 wrote to memory of 4200	4672	cmd.exe	122
PID 4672 wrote to memory of 4200	4672	cmd.exe	122
PID 4672 wrote to memory of 4200	4672	cmd.exe	122
PID 3520 wrote to memory of 3228	3520	service.exe	123
PID 3520 wrote to memory of 3228	3520	service.exe	123
PID 3520 wrote to memory of 3228	3520	service.exe	123
PID 3228 wrote to memory of 184	3228	service.exe	125

C:\Users\Admin\AppData\Local\Temp\dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe
"C:\Users\Admin\AppData\Local\Temp\dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWARKN.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UITJFERHVRPUGAT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VCUFRQRMLRNDQYH\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1596
- C:\Users\Admin\AppData\Local\Temp\VCUFRQRMLRNDQYH\service.exe
  "C:\Users\Admin\AppData\Local\Temp\VCUFRQRMLRNDQYH\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DFABVQELGKYHTPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMREBQYQ\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3700
- - C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMREBQYQ\service.exe
    "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMREBQYQ\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFFYOJ.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3472
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUCDOULJNIQEFYW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe
      "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1776
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OPLJLBOWFQVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1496
    - - C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempURAMS.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYXJRJSOJTEUDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3252
      - C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJGOAH.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMGPXHDOHIYRVWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFQG\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFQG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFQG\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XLMIGIYLTCNSCPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:184
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIIKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHWXVE.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OBNVMABWSNAWIXC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTK\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTK\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLNWSF.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IDYDQGUPNSFSUPI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRMUII.bat" "
        12⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEAVQDKFKXHSYPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OPLJLBOWFQVFSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRRCWW.bat" "
        14⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "COSPDPAXDVURSEK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKLUQD.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOESOMRDRTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGHENF.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYFOXVGCNGHXQTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACTPPL\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACTPPL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACTPPL\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPXODM.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LIITQOSNVJKDKKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RJJQFEFBGBWREMG\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\RJJQFEFBGBWREMG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RJJQFEFBGBWREMG\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUPILM.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SHRHDYCPGTPNSES" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFGPLY.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTSWJNJHXVMMOJC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFXWST.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJIKANUEPUERCA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNVHNS.bat" "
        21⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNEWOKFVOAPYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSLOQV.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GGTAJXSQBVIBVXC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDULJAU\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDULJAU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDULJAU\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLGPYWHDOHIYRUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDTQQ\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDTQQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDTQQ\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEIVWW.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FQSNLNDRYHTXIUF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQLRWI.bat" "
        25⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXWIRISOJSDTDST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        27⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        28⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe:*:Enabled:Windows Messanger" /f
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe:*:Enabled:Windows Messanger" /f
        28⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        28⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        28⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempEIVWW.txt

Filesize
163B

MD5
786f5444df115424519fca635b2fb6df

SHA1
b1e5e06e0f39d36dc61719b82006e5dc49b257b9

SHA256
b175c9f1cb5f428df01c91197742b5e5293754f83209140aded35a382316e648

SHA512
0f55df4c03e8fb8b14fd0c7568267f76fee62bb4c4645e7142933711e0b1d75a559883ad5c3dc2834be6dc1368f16015da4ad2fc98ec213eba150abee3aed7af

Download Submit
C:\Users\Admin\AppData\Local\TempFFYOJ.txt

Filesize
163B

MD5
8b090728fee03de443e08a7b37f627d3

SHA1
3f8d656f7326f408eb6e084f5ace832fa600d130

SHA256
6f121e5f028070a332505d8b0f660c29f7965d2e55194775ef573df9ef0c3865

SHA512
68f0bc3fde3acbfa300a2702e8cce74600557b326d6db2ef794af6abfa2f376bbd2e0e2f9eac37f8e0518bf302de7bf6d1c9a09142ae13240cacacd9c6262d79

Download Submit
C:\Users\Admin\AppData\Local\TempFGPLY.txt

Filesize
163B

MD5
71df219acbaeb5082758bd1cc22abc59

SHA1
770492ea371742c6b9399973677b2e0227258dc3

SHA256
93aa8764d3fcaa3b28db9ce5236d6a7a6b79caddd8f0a7a0bc63db8698a67e42

SHA512
2555ab9edf56613551d6cb53239257eb53e124c1990a2f49064c53acaa688bf4aa458e9f068aa9bedb9daa18ccc22fabafd3cf163bfc18a102730cc8c54e951f

Download Submit
C:\Users\Admin\AppData\Local\TempFXWST.txt

Filesize
163B

MD5
9591829f1e02cbd8f4dc3e50d72ca6f9

SHA1
ac6951700713d8e5c81317b2b5d88cc0b8e15bce

SHA256
43522424e1d41944882771d5994fbf4754aae59c3f4739b16721c76ebc1384fa

SHA512
f919cded79b0be5995fb5a224e21d21505f44d6d8a434144934877beb946dba679cde2a2d27cf88adb57b6887a757ceeea454a1ee5a1c73d05d4f0ffef7a8cd2

Download Submit
C:\Users\Admin\AppData\Local\TempGHENF.txt

Filesize
163B

MD5
5aa9daea03aaadb48bc3ea86d3750193

SHA1
19bf1fa69ee16b6d89d1317a50b5d5cf6485a866

SHA256
e5f3edf7a24c0d076b7505e1e49f9eb4479d217a2f2b14ed965b0fae3b08d953

SHA512
c73ce1bd9579e17f050785dfc873678a21f96405f44e42a108e635c3e87d22313ae6e9961da3e3320c8eca395cfceed5f7593cac85b05da92daad69db1056de2

Download Submit
C:\Users\Admin\AppData\Local\TempGYXTU.txt

Filesize
163B

MD5
ebd79e6d7fafdb1f6cb5120ffef0b937

SHA1
27864401d16dd197fb4e888840f84de0deaf033f

SHA256
10be2247236e026660239978d110e0c476dac11a3cd2b86baee3d67809306138

SHA512
23d68cfb56a66e319e2867712c669fd470e927aeefd1359b42ecb5b732755ac3eb5680105a3a501b4322db4ddf953304da57bef90d4bbf6afdcd52eb054e08eb

Download Submit
C:\Users\Admin\AppData\Local\TempGYXTU.txt

Filesize
163B

MD5
10032417e0f7d3c76cca039ec1968344

SHA1
18799789601cfd9b36309c6d1327270906358697

SHA256
5b2057e8d7258313ac687e7f2397a48530122264c9181b3293a841d1980a20b9

SHA512
874bd2cc3af600697432ef5875b3ecb36f9f5d0b0af25b47583849906f45ea5b8afe58732a0680be9f3de51d7c9b50835d52b60c1e82293b3e0adab4f5004c15

Download Submit
C:\Users\Admin\AppData\Local\TempHIFOA.txt

Filesize
163B

MD5
fd47132f16ddcc842826c95d2b104d63

SHA1
1185ba478693ed1687f12c79ce54488e2d408206

SHA256
81f40f38a7bfe8c8e8579484b3ebc9402f742c3acc28ecb3bfc14b2391862164

SHA512
28478402056caf4c01aa77ca3faca2450e3f6300e75a20d58a45c5b1ade1355c93767eeda53bcf6b2f023aee61e141f173d8665517ee79af349a6da3837eda5d

Download Submit
C:\Users\Admin\AppData\Local\TempHWXVE.txt

Filesize
163B

MD5
42fb391cdc3e67393c80f283f77c21af

SHA1
265531f75ece2c58ba2ec44fe6a0c2ab44e36839

SHA256
c2da48aae0fec749f821f2cdfc14a3ddf38213973745ff801a5be068c378ae2b

SHA512
2c2333bd941c0219ef555281028322a9aae1fe7788ed383fefd8d70f481950355fb8cc755698d5e59d436f4457abee70e7df927cd708cfb43326662e10674fc8

Download Submit
C:\Users\Admin\AppData\Local\TempJGOAH.txt

Filesize
163B

MD5
d4e55abce3e57815a3142d752db38564

SHA1
0eb774d01c84180e4a219d678663c1233f628cfc

SHA256
e2a4b0e103a8e3de2589ff9c9b430ae550e82d952ebf2f5e69a2261fa269a615

SHA512
ada4ff179aa499aab55eccf3bfb9b11006f5813e883b48003c1bdb25689c456c972cd26018c6d8c11044ae88ba12d136721499a709e1b2f4059252e69633ea26

Download Submit
C:\Users\Admin\AppData\Local\TempKLUQD.txt

Filesize
163B

MD5
d47175ceaacf560d2223f3a3d44fba27

SHA1
0d93ef4ec8d42c668c62ab148e2059347178421d

SHA256
7162b8b04111eda39d91132300930e3fba148a261394f77f6d2ed50a5a47bb57

SHA512
ce4a1856b81ee1bf877a47b2c76c7c675656bd5a4b140f894cab4389acf54d0be0dfed8dc890735412464d503e732dcfe1a99026839173998040c5b19157a7bc

Download Submit
C:\Users\Admin\AppData\Local\TempLHVUG.txt

Filesize
163B

MD5
de69c25118df8838f32524d5b65053ba

SHA1
d79b8934dab391b2f85b02ec96a6cf696e23d29b

SHA256
40bc559d58b0e666ed60c4caf6195b223cfc22e29d8c3a3558037fd37dcca921

SHA512
71fb69382480d582d5d09e9458754c925e45eaff1a3d5c9835895de02fd930a8b1bfa9008a1ed1b8ff2ada1d29742cc5eaf96af9dd68186f95ee97b9075d5bbe

Download Submit
C:\Users\Admin\AppData\Local\TempLNWSF.txt

Filesize
163B

MD5
84c2d8383f144db37fcf310586df6583

SHA1
67859e2b3efb3ca251e9891e5b711e6cdaf8323f

SHA256
aba32919743741bd6c41ab2fb15fd63dff719eaca314ae0ba6caf78f6ead1532

SHA512
d7734f86c834abae464b32b3eea0909d22a15860ef685d33a5769e25ab244159e56389fa8e4dc4a671876d285fe881a4ca88d25f204d568b8c10fa41819f0daa

Download Submit
C:\Users\Admin\AppData\Local\TempNVHNS.txt

Filesize
163B

MD5
65dcb1450b3de3f67453f9bcef548793

SHA1
47dab7dc089379d0f3878167729b72aa27ff5a4a

SHA256
bf72ebd2daaa96247946358ff30ad4bad7264ca4d2ec2e8a87b976d3b0aafa76

SHA512
d6b8ba80f3653bbc51064150367174681632e6411aa42f819bcfd8cb3d291748364d1eeafd7ae15cd70c327f4595a4f7775aff277afebf8b80539fcca26560bc

Download Submit
C:\Users\Admin\AppData\Local\TempPXODM.txt

Filesize
163B

MD5
8680f9d1e766238ac5ef8cce14b72a1f

SHA1
85b397c7a9195e2e612031de3db215707c0c9bfd

SHA256
aec51838aea6b108ce9c6790c4dd91ad85a34732e747f1992084c9a30999664f

SHA512
5dbece545c752024f0d8d9d034f9bb45957cf3d58025a4a93c1d139a0e470a7de6d011d7a2b39a15d5536ef5841a0c792f13d8aef56b9fbc0686569ec43f63ff

Download Submit
C:\Users\Admin\AppData\Local\TempQLRWI.txt

Filesize
163B

MD5
2a2feaa69ee437e48534dc3512a840a2

SHA1
ff3bab25fcd72949e6c10bf90d19afdb60dbf429

SHA256
0a70fd5b87246f089acfade1c32f8ea47e9314e72b807e1ee68ea56d3366ebfe

SHA512
ee7603b5a8bd6d6e6c76f6acaf42fab84cd4dbb3b552d4e851e11e74983730b3a2e05dea5d689d0e9b70a392425a694ecbdea13c8f8803be0e2ed7c84481a000

Download Submit
C:\Users\Admin\AppData\Local\TempRMUII.txt

Filesize
163B

MD5
bb27e4c24484dbe2d39e8d88d55b3c2f

SHA1
86007d26b8075efcf83cc8f6ef77c6d381291658

SHA256
cfe74a40b353c29cb95f1610b3290f8e32a0f0122d125dce317f63d35031a5f2

SHA512
52f774bad56549147e26e62d2688ff06df16a3bdaab619d8e98c3b0cba2525f2530515ff868ec444e773ad05d5066fdc7dcfb086676c0cd831a47b83ec2126c6

Download Submit
C:\Users\Admin\AppData\Local\TempRMUIJ.txt

Filesize
163B

MD5
d8dd752b8d973aa78dcd337a3db82d2c

SHA1
c1ed590c6c7d6ac1c8f97bb3b6ad786323c1a853

SHA256
8079ea63d2ad5a4b60dd7292446e1239067963f57c734089f25bf16f48363696

SHA512
44ba1b7d27037555353137d179a9f48e06dcf7f9b9a74e2ee7a1c78f4f74674fb930b7c07af6f7de274af6aa6ed424bae3f5d19ebc36b068d552c78a889dd1ff

Download Submit
C:\Users\Admin\AppData\Local\TempRRCWW.txt

Filesize
163B

MD5
fbfdf7df1883ce81b507c4eb9dbb240b

SHA1
bbe5501332c8d01b21722d5db6f7c161f6d41dc7

SHA256
20532e2e7c6a94325bebff8553bb4addcbbdf792ccb832eb05761da468565f5d

SHA512
b3ce1cff6959172d6682097a9a359bedccae250ae2645443875e2efbc255e959db3d82c3c1fef8ce70033964a761be2c9ad09866851d8abf79a17ad88eee981d

Download Submit
C:\Users\Admin\AppData\Local\TempSLOQV.txt

Filesize
163B

MD5
91af9641c96c09cd6115c4e4d6e90b03

SHA1
3bada0f534ceac9bd5320baa344086eb6821d842

SHA256
e8b5a2bb832fa0a0ff78f871ddd2521d8bb60360498528b267f215aebc89a1d8

SHA512
6fb64222c742edad6c01cbdfc00e138661f75dcda6e1446190cca1d7350512697d776ebb4f872cbeaafd5138d87645afe96dfaed1b13e20f69411cf4eb1a03aa

Download Submit
C:\Users\Admin\AppData\Local\TempUPILM.txt

Filesize
163B

MD5
82cb33fef4c516a52434aac65d103bc2

SHA1
3a7ce890b427ea6ffe6f524b5da321cb550f9a80

SHA256
9ebdf6ad0cf12d9dc7ace46849d48d61a257cb7b08e05a921f8360f73d43a4fa

SHA512
cb781578ea5db9726bbf2713097491cd943011ac0066dc1b020c608de80eaaa73f54b0c1d9397b1801a336bbacf8242705a3810806466c0e3c50e019c8a5ab65

Download Submit
C:\Users\Admin\AppData\Local\TempURAMS.txt

Filesize
163B

MD5
8242fb5d6fa630c4073388efd1ffd44a

SHA1
08cae6cfde916d69ad71d6b49be42d24ccffab64

SHA256
63725b478c68cc24876a429fd219ee83d663c7628e8fa56909231cc6e4a6f566

SHA512
8f35c03bbcfda32266613552ae644ab96bcd1d97bd21d3cae80b8a465a58ffcf1051e8eadd2f01869d86a739936c77d24cf103b6703cb73661e1d70eeb225ec5

Download Submit
C:\Users\Admin\AppData\Local\TempWARKN.txt

Filesize
163B

MD5
ad0bcd143bce1ebdfcc60dcaf7b3b79e

SHA1
f64e59d3f918be76b1ba6c2e2c07fe2f59743c73

SHA256
5caafe83f82f0df035cd084a3a6140e85a96a9e29a1736e915b6cb470e6b80f1

SHA512
0f573dc938b11acc68bc53d933c087f3e1cc193f2d504487ea83beae5a7cadb9a1b9acac91206173a0cb7f2a45e8b30f5925c7d00beccdbb27adbc0a4e6e1344

Download Submit
C:\Users\Admin\AppData\Local\TempXDVUQ.txt

Filesize
163B

MD5
81f5f7a5b13b716822c07801e6bd162e

SHA1
3210cec92841391b12f98e4ecc96edfb01f40871

SHA256
b5e4bce2d6cc217e100805ced6bd9b305f2f67ed0327060e3d67ed2944304412

SHA512
8cd4bd199adeea32a5d975fcc9ba2cb622b66a443588bac78cfb29a5fde700ea262a2df9fe967a90ed730dcefde9dbdd0131f88177d9d7096f2b1a2273ea611f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe

Filesize
520KB

MD5
ad6749d299383aaac4492bbcd5868dff

SHA1
194c3a172393b2956d35bc2eccf3c065c126a8a7

SHA256
a91d9728b9b6cd8d7cf74b890425197cbb6d4d00f5fc3d586856c31253de54d1

SHA512
9a84c9e46f9ceb9cf1bd3ef3018f4f7348d06fee53c8d7ffca02830dd30b5499dd40f867631b2f7f44b9e44ea4f4e9a7864fcd6575636efa0e98aad79f11069c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe

Filesize
520KB

MD5
5e28ca9e80ca90d76948429513afa5f3

SHA1
4416995c63016223a902921d6e5b201adc216edd

SHA256
f9d494362bf2ea3a073aad08545a36cded36f4dbd82202775546580438a7a838

SHA512
0220ccb71018072ff3f9a3c6646bdf3adc5df49c49fe860999e35594d099057d0e6730a2e6782ad05e805225320af6e8aa142fe4cb6b4ec56bbc95b8d2a7fd6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe

Filesize
520KB

MD5
e41b416231a9a021d931668e619c8eda

SHA1
5be902f4a80f0b7a5263964736564ee75075cc1e

SHA256
fe4f214d46bd0f0f5821e2a0af51bb5a4a9c6297a99ecb0f94a4e545b5e6abfd

SHA512
28b31ed221fb62c7fb70076ae64ef37227eca778cdaf031aa6050e6b7f41f6b77029797b6fc0f8e56b5caeddd923cd235ec2b8415843d9a9846bae61ff44cd11

Download Submit
C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe

Filesize
520KB

MD5
9be987e4c8b1f8eee0ed6ecc6282cc41

SHA1
19843643a2ffacba49c5648bb1674d896c29400c

SHA256
80fd4ff99fcade9757c91eab6b09701b5f4e80ec75faa363977a7d9996a8cfb3

SHA512
c1ac099ccf512292fce4a64c9808369ba7b1dfd8f3209b1c3e6192b56778b103d8e89c2926c088264330505f8a35074bdd3ec2d438c8af762d28f079fe4e807e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMREBQYQ\service.exe

Filesize
520KB

MD5
8fc3ac27c4fafdfb61f79dd218d78d7c

SHA1
d201dde6c1a292a829dbf0d743432847e67449d3

SHA256
f262e8f3ef907a958b48a2e6e4536c60f98944c322f4d565dd9a44f83c2ab490

SHA512
f59af90b9d390d5f22c9a52619b2e375418dd6e86261709d8ab7837eaf4e9653c3ce377ca35fce533240909c20e8ce581f71bd0c36084b0fcb872c9d540cb805

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe

Filesize
520KB

MD5
e3efbf8fedd13b3fcde4401010976d15

SHA1
c3fdef10bc63649b48e8023ad2b3e3d60d81de08

SHA256
7817855060ce7264cc52c54f3c26c15d395c1f2f42624bc1abaea9227b4a2d83

SHA512
6aaadabc0c5fd99b8ca58c448e2b6fc36cdcee0bbd62b7e12884754af15336663c83572d110cda408b464c5f8d426d869010cff35704e376737e8382975be302

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe

Filesize
520KB

MD5
0a082fc996848776f0eb9576abc7cd97

SHA1
664903389e8ff765a4baef3bdd24827049b13d0e

SHA256
b75f36d57231a4ca9aaddc547b0bb72f9e366520025aec5f1658cb02ed33e2c7

SHA512
f778834a9b8a096df2a40a83e0c34c11d8950bb0c4d0deb064d97c553344b51de0bcebb27e19e67a7a75490b8b2fc4cbd62ce32066c161de22c0502daa1e6820

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe

Filesize
520KB

MD5
46c8e91aab21389f05c3c9ee95fd4432

SHA1
ff78d8e6a9120f02c434d282a75bf13c7ef48875

SHA256
0479a93875b05584577083b263e49df0ad8614051cccb0d6318e694d83126a0f

SHA512
ce3a0a30f8a52ce90de87d960c52a56ab57205cfb2e93b09720e39c9d4dab56977f832b57ebd7ad371efa9a74b1103bb8954e531aeaca53b2c66e0b6272a6c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe

Filesize
520KB

MD5
0152fd8db3c22d010b8abc1914cb0d27

SHA1
fb945bd5a7dd0dae38eefdcb31df801d431743bc

SHA256
9e207f5382678e83146de37248f06afb64c81bd9dca1b99ccc4955f9a15666b7

SHA512
9fabbd97e125539bfc956043732e15565cd102b2135711a4dd0c0eb178910ccf5a70782962cb828c09f89421036730e8c763426bfc73db79697f3f6dd48f38c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDULJAU\service.exe

Filesize
520KB

MD5
35af8e6d5256cebdb81878c17c987dd1

SHA1
c132fd0dc217fa8d2483676ed4bf26cb2b459681

SHA256
4ad320b6f0fa8f55e5ca278a8d8e7db12f39c1e96b1206382398decb5cc21cc0

SHA512
1c2a3f913f976d222c46497f2938158526cd7bb4b8bd97b677a5c106adb8f81f76efd4d1e6038c472ef9e53e9c26c50fad2f1971b6707f506e5e2f72eae05e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe

Filesize
520KB

MD5
6e117d5c4f5abb9a8c48eea7aa278b49

SHA1
12bc773977a2abf32cd0e745185811f2c9db21fc

SHA256
215b31514fb7d4caa7a44854f852bf5da490e07dfcf84e32fd2d4afcf7cab17b

SHA512
505c19f32db8ba4516e5f4734d79a5f6812d735ecf3f410529db0bc446322a296a998fb9df780336fbfe33b21efd289da706daff5dd1408213f6a34ed28c541f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RJJQFEFBGBWREMG\service.exe

Filesize
520KB

MD5
85357457278a301e8bcefd5c41359688

SHA1
f37246898dfd4c704341d9c851c6bfca88bcd286

SHA256
285f2ce435b848a677fd564c72169651dbbe53a20a40e4a792e9112923c5d104

SHA512
b5f456b8c2368bda957096d7f71649d1692a19df47d1f878d56b97fed67e614bf96f8b103cc0a7afa2ba9e7dbdece67e54728cace2eee6db2a4c641afba122a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe

Filesize
520KB

MD5
5df97204d38b67bab8db83ca39ae49cd

SHA1
57e67c2ce540cd7215b22080b49cf97be1538f34

SHA256
a065508e2099ba1ab57a47cb1fb3f94ce405fe763fcf840ee576763193f1ed21

SHA512
2f179206c33281d605355d46b5383dfdb0dd5cd7425ee2f84108abc503dc645af53e12e5d42edccae8f0667143a0e3bab59daf1db6c2d41506e319feff39188c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCUFRQRMLRNDQYH\service.txt

Filesize
520KB

MD5
9d8b19c2843026889ecb6aaa1c555e17

SHA1
dc99eda74909ac775ccf5d817cc8fa4f70aba4a5

SHA256
bd18b33b2db7be7eb0bc51568e7e7e7aa68ccac1563be5dbc97c7dfe3fdcf3f6

SHA512
9d763945e9ce74375ddbc76109261ded01411eec3b9b45263752fefce8722164621df1f07e4c8e7b131a122e6c13e792a5ec064c22d5e83ca1fb7ec1f795251a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFQG\service.exe

Filesize
520KB

MD5
6f9aa065336e2f05beaf4144863893c8

SHA1
d1d4a132b69d525f2f32d02b64b231ae25b75480

SHA256
7f0de046f17aae05848bb0b53ec2264d63ae77c4dd7d964b3104923671945b72

SHA512
01702b02b819863f49c90fd6583260999bf5be58278f9d28cc42fc4f55def9397d1d65afd8ba44a8d52e107a6886a0c68b321a27a8b7e12e1148380321d3a0b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe

Filesize
520KB

MD5
9e616f5d754d72a875f51ae30995ae87

SHA1
70e779977bb59e41b852247e763e6d887a8ab45e

SHA256
874cc9fa91da18d30f4d7f076ba515fd7f600665c483f3859cc91f6dd07d0fe7

SHA512
48fb20eef95f59bcec2b864e9159af5f57cf38c7e94296c2f6dcb118e7ba91ac8d6b4b99e889bf346fd0f67f47ac3208b7493d6eacca8af2487568bdffd88720

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe

Filesize
520KB

MD5
cedd84ccab737e4e2dd233825719aa10

SHA1
927650302633f5113616689d22ba648e7c7eac4d

SHA256
565e79aad4d7b16cf2e59f874edbc11b2b0e6930c5ae245c3209801c7f0da71d

SHA512
bac90fcde18bbba8a4397b06a2c6cd98d8b47da5c8c2ed62a3c0700ff628d055f9b9ab7942ffbcc531bd2375008fefe36afcd2f5f25cb501cd44fb21fbd5947f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACTPPL\service.exe

Filesize
520KB

MD5
efd60df869318dd7ba03b852b66d10a1

SHA1
0b7e670efcaea79096de32a009fe03b6def0d050

SHA256
0532bc7d1d6fb83f6a4aebbce882a2d4ff112fe0c6f057073e55334ad3d86beb

SHA512
b6a01dbf8c98752eea00c66bc4b434312cb7b1cdca757064d13edc1778562708a0479b16e3ce4c7b613f2c028e5fbee233e389df829f05b2e958a39700050233

Download Submit
C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe

Filesize
520KB

MD5
47378e6f20528ff639cd7af8f5c7ac37

SHA1
16c7128ef578ece7089809228f7eb6c3e16a3d41

SHA256
ff26ab2fa37233dd552172bf9af19d7509bc9d7f557899346d1598b8b12d784e

SHA512
3f68a293e6c878dc840b00c66ca50726a897d0b15271282793b80f0cec8d9f516f9690940522c21522fc33562a48933de7aec83c0bd37d9b6c46304eb1368069

Download Submit
C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTK\service.exe

Filesize
520KB

MD5
0e7bc8c34c074ea520e7c4fda5cf51cd

SHA1
3a116b4176b4882bdcd89e693ba57d35e251a943

SHA256
c787667303cfabe8296724982c39fe887408d92ba326501acdfed96f1a1868e0

SHA512
e3f6e81c9c80369eb440071b1c270d96e64da357c4dbad7679fd2aa047860cc319601666462eb42d695703cbd42d756d89128e5b19209eaae119432f54eb339a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe

Filesize
520KB

MD5
ba17deb0328467d31bdf3386c6e5bbb0

SHA1
22cd0884bb65299661b7270b65332e4d810e48c7

SHA256
245474b731549be5dee915f535ac87f620657b0d8e12f77635e94056206ae0c3

SHA512
e00c21be4ef229a7d8cb85163ee5c780b9eb29289061122677bb38ded14b0606f89c4676502c6a959cfa72b6b1ad6acd6c05302e6d53a84d811738055076491c

Download Submit
memory/2304-643-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2304-642-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2304-648-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2304-651-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2304-652-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2304-653-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2304-655-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2304-656-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2304-657-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2304-659-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2304-660-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads