blackshades | e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
Size

520KB
MD5

481090609ca307c7630403cdebdf988a
SHA1

7476081b41b122a1ef39bd7b0ea7c41259df8c9c
SHA256

e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49
SHA512

e4d4ba737881a6deaf6f92af13c6a018880e434c8eed7e4095257895f142658d103ef20d33b7cefa0a92605f87150ead8b1f40bbfd53a59fd2d76e93796d5fd6
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXg:zW6ncoyqOp6IsTl/mXg

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 11 IoCs

resource	yara_rule
behavioral2/memory/2160-666-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2160-667-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2160-672-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2160-673-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2160-675-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2160-676-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2160-677-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2160-679-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2160-680-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2160-681-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2160-683-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Checks computer location settings 2 TTPs 25 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 26 IoCs

pid	Process
4508	service.exe
3944	service.exe
4084	service.exe
1512	service.exe
3916	service.exe
1276	service.exe
4540	service.exe
4488	service.exe
4024	service.exe
4132	service.exe
4164	service.exe
4268	service.exe
4340	service.exe
3868	service.exe
3040	service.exe
2568	service.exe
1516	service.exe
4072	service.exe
4876	service.exe
5116	service.exe
5084	service.exe
2096	service.exe
332	service.exe
1504	service.exe
232	service.exe
2160	service.exe

Adds Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AEJXWIRISOJSDTD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NROCOWCUYTPRDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMHXLSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MGPXHDOIJSVWIJG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROWJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDGRSOMOERITYIV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVLMJSEKP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XYBLRYYJACDRNMG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPKXNXRPSDINAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YWUMCQLJYOBOQLE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TVLFDKTKPHYPDNE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OPKJLBOVFQVFSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESWIJGPBHMAC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HDBRXPGFHCAJXFT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTXVYJNTAGDSR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RWSGTEDHYUVIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UBTEQPQMKRMCPXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RPUHLHEVTJJLGDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OQGAYWFPFKCTKIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OULJNIPEFXVEFYO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMFLSDERXOWLVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDGRTOMPESAIUYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCTLHCWMNKSELP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XVUYLBPLJXOANPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VNDRMKPCPRMFIKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORGAXGPFKCTKJUR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RSNLODRYITYIUGE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBPUFGEMEJYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FKYHHSPNRMUIJCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDEAFAVQEL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WJLGEHWKRAMQBNV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLVDYOSXEFCKDHW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EDQGUQNSFSUPIMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTJDBIRHNFVNBLB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJCWDUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSXPXLWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DYCQGTPNSFSUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJBHOXANTLSHRH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XLMIGIYLTCNSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENWFBPUFGDMEJYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NJHJNUDOTEQBAYE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCQVGHFNGKBM\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DAEAHTUPNQFTBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMDVMJEXNOLUGMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HMALULAVRMVGWBG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOKYWNXQPRD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRNBNWBTYTPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKKLGELHXKRA\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 232 set thread context of 2160	232	service.exe	204

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2072	reg.exe
4588	reg.exe
3080	reg.exe
4380	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2160	service.exe
Token: SeCreateTokenPrivilege	2160	service.exe
Token: SeAssignPrimaryTokenPrivilege	2160	service.exe
Token: SeLockMemoryPrivilege	2160	service.exe
Token: SeIncreaseQuotaPrivilege	2160	service.exe
Token: SeMachineAccountPrivilege	2160	service.exe
Token: SeTcbPrivilege	2160	service.exe
Token: SeSecurityPrivilege	2160	service.exe
Token: SeTakeOwnershipPrivilege	2160	service.exe
Token: SeLoadDriverPrivilege	2160	service.exe
Token: SeSystemProfilePrivilege	2160	service.exe
Token: SeSystemtimePrivilege	2160	service.exe
Token: SeProfSingleProcessPrivilege	2160	service.exe
Token: SeIncBasePriorityPrivilege	2160	service.exe
Token: SeCreatePagefilePrivilege	2160	service.exe
Token: SeCreatePermanentPrivilege	2160	service.exe
Token: SeBackupPrivilege	2160	service.exe
Token: SeRestorePrivilege	2160	service.exe
Token: SeShutdownPrivilege	2160	service.exe
Token: SeDebugPrivilege	2160	service.exe
Token: SeAuditPrivilege	2160	service.exe
Token: SeSystemEnvironmentPrivilege	2160	service.exe
Token: SeChangeNotifyPrivilege	2160	service.exe
Token: SeRemoteShutdownPrivilege	2160	service.exe
Token: SeUndockPrivilege	2160	service.exe
Token: SeSyncAgentPrivilege	2160	service.exe
Token: SeEnableDelegationPrivilege	2160	service.exe
Token: SeManageVolumePrivilege	2160	service.exe
Token: SeImpersonatePrivilege	2160	service.exe
Token: SeCreateGlobalPrivilege	2160	service.exe
Token: 31	2160	service.exe
Token: 32	2160	service.exe
Token: 33	2160	service.exe
Token: 34	2160	service.exe
Token: 35	2160	service.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
2208	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
4508	service.exe
3944	service.exe
4084	service.exe
1512	service.exe
3916	service.exe
1276	service.exe
4540	service.exe
4488	service.exe
4024	service.exe
4132	service.exe
4164	service.exe
4268	service.exe
4340	service.exe
3868	service.exe
3040	service.exe
2568	service.exe
1516	service.exe
4072	service.exe
4876	service.exe
5116	service.exe
5084	service.exe
2096	service.exe
332	service.exe
1504	service.exe
232	service.exe
2160	service.exe
2160	service.exe
2160	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 4008	2208	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	88
PID 2208 wrote to memory of 4008	2208	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	88
PID 2208 wrote to memory of 4008	2208	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	88
PID 4008 wrote to memory of 3120	4008	cmd.exe	90
PID 4008 wrote to memory of 3120	4008	cmd.exe	90
PID 4008 wrote to memory of 3120	4008	cmd.exe	90
PID 2208 wrote to memory of 4508	2208	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	91
PID 2208 wrote to memory of 4508	2208	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	91
PID 2208 wrote to memory of 4508	2208	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	91
PID 4508 wrote to memory of 1352	4508	service.exe	94
PID 4508 wrote to memory of 1352	4508	service.exe	94
PID 4508 wrote to memory of 1352	4508	service.exe	94
PID 1352 wrote to memory of 1280	1352	cmd.exe	96
PID 1352 wrote to memory of 1280	1352	cmd.exe	96
PID 1352 wrote to memory of 1280	1352	cmd.exe	96
PID 4508 wrote to memory of 3944	4508	service.exe	98
PID 4508 wrote to memory of 3944	4508	service.exe	98
PID 4508 wrote to memory of 3944	4508	service.exe	98
PID 3944 wrote to memory of 988	3944	service.exe	100
PID 3944 wrote to memory of 988	3944	service.exe	100
PID 3944 wrote to memory of 988	3944	service.exe	100
PID 988 wrote to memory of 3340	988	cmd.exe	102
PID 988 wrote to memory of 3340	988	cmd.exe	102
PID 988 wrote to memory of 3340	988	cmd.exe	102
PID 3944 wrote to memory of 4084	3944	service.exe	103
PID 3944 wrote to memory of 4084	3944	service.exe	103
PID 3944 wrote to memory of 4084	3944	service.exe	103
PID 4084 wrote to memory of 2804	4084	service.exe	104
PID 4084 wrote to memory of 2804	4084	service.exe	104
PID 4084 wrote to memory of 2804	4084	service.exe	104
PID 2804 wrote to memory of 2224	2804	cmd.exe	107
PID 2804 wrote to memory of 2224	2804	cmd.exe	107
PID 2804 wrote to memory of 2224	2804	cmd.exe	107
PID 4084 wrote to memory of 1512	4084	service.exe	108
PID 4084 wrote to memory of 1512	4084	service.exe	108
PID 4084 wrote to memory of 1512	4084	service.exe	108
PID 1512 wrote to memory of 4108	1512	service.exe	109
PID 1512 wrote to memory of 4108	1512	service.exe	109
PID 1512 wrote to memory of 4108	1512	service.exe	109
PID 4108 wrote to memory of 2916	4108	cmd.exe	111
PID 4108 wrote to memory of 2916	4108	cmd.exe	111
PID 4108 wrote to memory of 2916	4108	cmd.exe	111
PID 1512 wrote to memory of 3916	1512	service.exe	112
PID 1512 wrote to memory of 3916	1512	service.exe	112
PID 1512 wrote to memory of 3916	1512	service.exe	112
PID 3916 wrote to memory of 1528	3916	service.exe	115
PID 3916 wrote to memory of 1528	3916	service.exe	115
PID 3916 wrote to memory of 1528	3916	service.exe	115
PID 1528 wrote to memory of 1460	1528	cmd.exe	117
PID 1528 wrote to memory of 1460	1528	cmd.exe	117
PID 1528 wrote to memory of 1460	1528	cmd.exe	117
PID 3916 wrote to memory of 1276	3916	service.exe	118
PID 3916 wrote to memory of 1276	3916	service.exe	118
PID 3916 wrote to memory of 1276	3916	service.exe	118
PID 1276 wrote to memory of 4708	1276	service.exe	119
PID 1276 wrote to memory of 4708	1276	service.exe	119
PID 1276 wrote to memory of 4708	1276	service.exe	119
PID 4708 wrote to memory of 2568	4708	cmd.exe	121
PID 4708 wrote to memory of 2568	4708	cmd.exe	121
PID 4708 wrote to memory of 2568	4708	cmd.exe	121
PID 1276 wrote to memory of 4540	1276	service.exe	122
PID 1276 wrote to memory of 4540	1276	service.exe	122
PID 1276 wrote to memory of 4540	1276	service.exe	122
PID 4540 wrote to memory of 3508	4540	service.exe	123

C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOBHMC.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MGPXHDOIJSVWIJG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3120
- C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe
  "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGFJWA.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRSOMOERITYIV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1280
- - C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe
    "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPCOWN.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:988
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VNDRMKPCPRMFIKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3340
  - - C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe
      "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBXQVH.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XYBLRYYJACDRNMG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2224
    - - C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1512
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIWAWX.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RSNLODRYITYIUGE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2916
      - C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NJHJNUDOTEQBAYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVKXIG.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DAEAHTUPNQFTBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RPUHLHEVTJJLGDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVWTCO.bat" "
        10⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMALULAVRMVGWBG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOKYWNXQPRD\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\SRBNMOKYWNXQPRD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRBNMOKYWNXQPRD\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHJSOB.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWUMCQLJYOBOQLE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSOWN.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYHHSPNRMUIJCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSJHS.bat" "
        13⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OULJNIPEFXVEFYO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OPKJLBOVFQVFSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBTXSO.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WJLGEHWKRAMQBNV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSEMEH.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HDBRXPGFHCAJXFT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSFCR.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDQGUQNSFSUPIMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
        18⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGTEDHYUVIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJCWDUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMWSFC.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCQGTPNSFSUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQYBUU.bat" "
        21⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBNWBTYTPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XLMIGIYLTCNSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSTQAL.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AEJXWIRISOJSDTD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBVUJ.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NROCOWCUYTPRDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVGFJW.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRTOMPESAIUYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDHIRN.bat" "
        26⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVUYLBPLJXOANPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        29⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe:*:Enabled:Windows Messanger" /f
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe:*:Enabled:Windows Messanger" /f
        29⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        29⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        29⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempBTXSO.txt

Filesize
163B

MD5
ee43c5410ff083f25fe89002fbc791e3

SHA1
d6326230df59d77df3a85811dba022b53d798167

SHA256
7d62d099d0f41de498f140ec5675d421e9d416f2304ba756a809064125641b3b

SHA512
558661a6298c381c12b30a21dba3f87126bdbd37575ee076a70752a5e18e196fb5db5fcc136802c6e588baed6e017bfdf060f045c825d73a4dd0ff9b4fbb619b

Download Submit
C:\Users\Admin\AppData\Local\TempBXQVH.txt

Filesize
163B

MD5
0421624f831bbfbc55712498f7ac30f1

SHA1
2f08a37e248d3dd392af140a8abbc5843fbf8122

SHA256
27663237f1252562de4d6ce1a91f02515be5be04b426812066ccec990a2bc963

SHA512
e46addad1851c2deeef2536d79763f1932a64b53473683915f1a9e5ca188504df1df8890a0b5035b7f745b656700bebcd50c3c7750dbfa8533e99be8dea0f929

Download Submit
C:\Users\Admin\AppData\Local\TempDHIRN.txt

Filesize
163B

MD5
662efbf888c6d75769e8c5c0dec1d01e

SHA1
3181e950587a5f94a137cf768dcd15f46c0772af

SHA256
b32b596d5872682dbfc521ee0f94fa698be838962b81585fd54c2523bd621736

SHA512
f56692d07d039f1af97946589fb878bf6c93a7cb2e7d8fbd4b2f24716cdf0cc10dd904e026894fa5128bfe108058403a6b1ff5fc4e1f3bdd53f5eebc4c484c8d

Download Submit
C:\Users\Admin\AppData\Local\TempGAOXK.txt

Filesize
163B

MD5
7ed000eed1ab7f3420e001d25a18e2e0

SHA1
c53a4d8d38369ee75f7de08af9704b1032aeba66

SHA256
6f4c0bbe1807412382dfb5ef438f76d25474df51ca65947fc4b6efd98f49a840

SHA512
1ef1d0bd91022d6b1b06eefed48e0adeb5d4d988b65e4fa1819d5ce4d95e56612f73f0ed8f5fd1ef37ed2f354757ccbe0ca1bcbe76196eb265a098741f04a2e0

Download Submit
C:\Users\Admin\AppData\Local\TempGFJWA.txt

Filesize
163B

MD5
6f2cf50a62a16cb7fa6b57880d901e18

SHA1
c31130c5581bb2c672d184800d61c3e7a3217bd8

SHA256
d77beddb0fe4ccd067e5ff2ae22ff746338db624a86bebc6067210885984a916

SHA512
b8c15169106c31ccfad7436e321d1dbbbeeac0c2ca9a2c666e92501da6612b9c004b99616e8c837d92d67097a86d2c15428f9c62b3a50b7fe60ef91e9365e63c

Download Submit
C:\Users\Admin\AppData\Local\TempGYXTU.txt

Filesize
163B

MD5
f662fbbeabc47fd6044be333884d08f8

SHA1
6a2789eab411b65025f34c1ef223f3c57ba9b370

SHA256
461ca657c06bf7f5612fa2a53dd8ce5948eb219691b4bc9bd13062935b8c553c

SHA512
ca54498fe5f840caa6344bb8e01792c95f2a7a0ff383899c5ee2f03cf7a144da6979e737e529beac0c0848066b2f8cb259cda2464730405547dba92771e6b078

Download Submit
C:\Users\Admin\AppData\Local\TempHJSOB.txt

Filesize
163B

MD5
9a43227d9d25c3b74f5890f01e9d031f

SHA1
a43915501c16406c07d6da843d4351bece3b5481

SHA256
aca7d0f9b9f8ff095e80b697b20c195eebdf5d581194972b659df219739e74c3

SHA512
38e5f238b195df3b540aa20e2afdbe60baffff136f14b50cf9e6b3c3a4d104bc20090468e052a5817cc1d933516dac9328688523865c641d656c34c54d276745

Download Submit
C:\Users\Admin\AppData\Local\TempIWAWX.txt

Filesize
163B

MD5
1d380f5540941a2d03e8a4cd4aba6bb6

SHA1
05571e48a5d8c4e9f85de251c401bb470e4bdd57

SHA256
efdd646f3f9cafcde52c14e3e8a81af258fdbfb171b08af7c316f7a910ff4d46

SHA512
27da3d3c0f07d654502de410f4065fcd8f4c3abead470d2ab895af3bfb45318457a9f0fee4f3ed4ab665926ccf7e5b189d9ffc5646878b883c37aa9b79f485c9

Download Submit
C:\Users\Admin\AppData\Local\TempJSJHS.txt

Filesize
163B

MD5
42ea1a3ef60848997a8e479f243e3561

SHA1
cbf65e1367eb66d498dc47efa36adae5903ef8a0

SHA256
bf0e1c29fd8185ba6e5a60134f47220722e669a6924af09c2e6fdbd4748d049f

SHA512
c2aa351c4aee68bb654fdb58f49ceaf666ff34ccc18c0dd7543e12bc4826e767ce6e80ccf3fc50db7569728db412ca40328aa22f6986185332595dcfa328bc0b

Download Submit
C:\Users\Admin\AppData\Local\TempJSOWN.txt

Filesize
163B

MD5
9ebeb1bbe4a4bc810eb37f9b4285fd99

SHA1
870b078d5bd267ed25bd46a3ccb02c6e12015ae3

SHA256
b94b332175f87071708e53728debf49cd1862922506864f4a2f5d94761947b50

SHA512
18ba50012d07bdb3b67a8f30bc3bd2456b0dffd72c2f222765f93e4d342b48e9c025e87b4fec173b4600d75466ef59532dda83f6f112ea68d2be4fd87bccdae4

Download Submit
C:\Users\Admin\AppData\Local\TempMWSFC.txt

Filesize
163B

MD5
d436191c50229e232e217c85c462aa77

SHA1
b2aa8f91e2a09897c42675400e041b62bf538101

SHA256
9ffcad743b0bbc3436f3b164eeb4a24245c1cbc77f61b527e918a3d31e2485a6

SHA512
12a6358d4d810873c33b140f50c7ae47ea0eba0d9ce26c3b37b8a24a52c1c06d2b68aeaed032fde2fee3fa4e836baca9e144d9b56062ee1ee7733718dacac5ce

Download Submit
C:\Users\Admin\AppData\Local\TempNJXWI.txt

Filesize
163B

MD5
6f37bf87416de1c98fafbe87180d9d03

SHA1
fb17273119e4df1d10c79a78bd0a9872580856a1

SHA256
9de1012d1bd2cb99ed801dd9ea89da00edc61dc142c9a41626680d69d0777717

SHA512
58f51727285195df90c585a09793f500b4144bb4f19b21da2803e6eba65e08eacc002e21d72b2a7c46c91c05530f5cbb96674112c73315f11e96d7a8774e72b8

Download Submit
C:\Users\Admin\AppData\Local\TempOBHMC.txt

Filesize
163B

MD5
70184d94e9f3f6e8777a1f90db341b13

SHA1
f9102f4d54a9ea9bf8c17752e02757a1a67214b6

SHA256
bdb37d995521e3e457625bf6f7dc3fe98a2ca277b93c74202a8e14df145f82c5

SHA512
fb6dd1225d9f379f79dca5e5297a84c3234776b485f4f8a05849c74f5918fcc7e9398238b844124dbda97423488ea383528d44f18eda1286545f554886247e45

Download Submit
C:\Users\Admin\AppData\Local\TempPCOWN.txt

Filesize
163B

MD5
b9bdb0081d50820c8a9224cdcc843384

SHA1
0a24f9900d36d1d32c4bab84d8b771ad20188640

SHA256
39a8e2908f0b834e3d206d4fe5bbbdc5b00ebc54c979cb4473746752f6729cb5

SHA512
b1f32c3d5ccda50f472ef3e5e2559bd83b7439244ba5eb4d752b66bcc2752604e7cb9e888d76d4d2421b472d3ef26dbcf3c9de0f85f41b9b74ef0635f4171d31

Download Submit
C:\Users\Admin\AppData\Local\TempQBVUJ.txt

Filesize
163B

MD5
878f9cef61636cca20cfb70db6163294

SHA1
6af0e6d2f4839baad8de028762aaae888e12e698

SHA256
224e5d724d4f06b25b986fee6169b27ae18dcd8060982a5842bfa7a22430dda3

SHA512
84b6f14411541b4043692c395b4167e6d619573e1495a2aea63063ff7439e91c5034f75e664159462c7540a1a646560b6af8645a6033756dd804924819ccd211

Download Submit
C:\Users\Admin\AppData\Local\TempQRWDE.txt

Filesize
163B

MD5
5f86bd202bfcd38eb1df9dc3f99b3f2d

SHA1
20eb5c3c335c0ae536940a2687e7a4b19f36ce56

SHA256
d321062aed8a7c06ac93888227db15ce99c621f0c1f748ed53813a296aa4ab84

SHA512
4ce449ef9cbe9707adba1be3be1a650c1ff846ad9f3af74ed8428ab64f9c35f0425482af8c5d68afc7d9eff857e369b949b65d9f03e4f7f515f1f3fb3b02045c

Download Submit
C:\Users\Admin\AppData\Local\TempQYBUU.txt

Filesize
163B

MD5
e2fde989efdfa9c12af7ee59baa74dfd

SHA1
496290188649323aeb029f1cf8f70cae43d00d99

SHA256
f31507d060c2098a8887e1d7b0fd0027d7c1377c0619d70c81536feb4f0344b2

SHA512
6e49925b5f00549760fdedebc04f53716c4943d0d1d0f303ef771a061767b8cda3e6226f564e8641433fac63d7cf33b598615f31c5059779093239d4351fe282

Download Submit
C:\Users\Admin\AppData\Local\TempSEMEH.txt

Filesize
163B

MD5
5c86f637d8894a6cf2eb5fc686133c84

SHA1
316501888a2b7a55b97ee6fa37b7cf37d702ffe5

SHA256
b7025229dfd24162095f98f29366125ae11f4eb511634ef8969ad338dc8fa84b

SHA512
99bdf20ddc96cfc80c13a59c71a25b5900ca800362c9ee079eeb8b213437d1260d83952ed9959193c605f1195d43b203421f7c801da0cc869f453df1a35b3551

Download Submit
C:\Users\Admin\AppData\Local\TempSTQAL.txt

Filesize
163B

MD5
2d444a1f4b3b0a068f8a2d86ee91ddea

SHA1
3710de6bbffdf5fb1bf171ba6c97f7af835dd692

SHA256
bb5b8cdd96c8397e4738b0e337da9392b5d0d15ef6a186db4b7f5d35c2d1d057

SHA512
2690efc4c90472096b2fcbe0cd6894c8e02fa19346e653923280e37ca2a0eaa6afd6d487f089266becd8d0bbb0b152f56f619eee05120c40d1ca8a72a892c210

Download Submit
C:\Users\Admin\AppData\Local\TempVGFJW.txt

Filesize
163B

MD5
ac25c8c9ed6bcd533246820219581d49

SHA1
48d325f7a561d8de40e892dfc28e05bacd7a9637

SHA256
8c5c2f6e28be144dc065d86a1fc060648df942eea0b3a65289dad855126a4176

SHA512
9085d29aedd00a6be910a9b4b17484e744164ec6c3c8cf10cc70d2643bd2e1f69fe5299fba25b4a5fe56dc75f16830b4b884f3ddfa26f1741fa8322d5e0d0555

Download Submit
C:\Users\Admin\AppData\Local\TempVKXIG.txt

Filesize
163B

MD5
5cb7a134205578e75c05adb5b04eea43

SHA1
a0dc3ba15b04f5f31f63788e1731cb00852dcbef

SHA256
69feaedfc927f5a4b893e3958246361a4bb097c25270680f07f6ef29b12c2bcd

SHA512
6d598e2b18dd606e7a8e3305529a2239593dd0b5c113001a73aa1f20494d948179c4d73dbd152b6f1db1b1bffde6b58f96cc61bb71ae1da9e887ff4ffece9e2c

Download Submit
C:\Users\Admin\AppData\Local\TempVWTCO.txt

Filesize
163B

MD5
f4eace3b16b0774bb478b9e9f7eaeb35

SHA1
0264561da594b48f388d4bfedc24eac48fd8834c

SHA256
47c5b1731923a2b5c4d2159aba45c2b252c66cf0ff5baf92fe0b1d34df13a943

SHA512
2947f33d8726b7d1943b42f5b048dcf9f0bfb07119697b27b9cb7e0a5d2b4668037d5fa705e23bedd54376307e9e3b3722240fa75ed9d631bdb0149796ede7a1

Download Submit
C:\Users\Admin\AppData\Local\TempWSFCR.txt

Filesize
163B

MD5
35bfbee1dc846547018d21be699effc3

SHA1
e75fd91255fffb0d4d0f0f65349af6b737fc8bf7

SHA256
0c13608f5998a08bf5afb026f729d178758e184233f44771f799707fc4202e86

SHA512
14a4964fc902035fdf9c37336c6e36f07d94fb297d905047a74f7049710a81e1fa3ae70882c694db59dc1db348e0ea66138ea90d34ecaf9b4bc908c16d17b8cb

Download Submit
C:\Users\Admin\AppData\Local\TempWVRSS.txt

Filesize
163B

MD5
ecbf0cbab9dad148c5ad57d1ce1f59ed

SHA1
42a9f5253fe3e05faa59878b2382b77ea8341b2f

SHA256
169fef7bf9b907f256d2785a26cc1cae9cfb98f3ef15023d2b8827b93d8f5911

SHA512
5e5e40a1120d77c18885c99c2112aaec6e03305faca1e6cc665346d6fcbea46f56606808d7949edd8dc0ea3e212bad0d349aadeb07afdf9a96440c50e5c8cc58

Download Submit
C:\Users\Admin\AppData\Local\TempXDVUQ.txt

Filesize
163B

MD5
05608828504e3676cef951b8df0129e0

SHA1
c21932475e83ba219e6025657a54214fc43fcf32

SHA256
be65e5129ad5455e50dac2a352062c7f82c1c8dd519afc01e682ce7d87dd15e9

SHA512
3322f59fa383e0e3086ff2598b50348b6865702f71a63b47a900c3654c29b1a26f9775fe1b2dad31352125f9870e47b042b1b008a20773d8b3ebd21ea3ce2372

Download Submit
C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe

Filesize
520KB

MD5
7f15128fba5f20375521d65bbb60212c

SHA1
32f6422960bf1d99ca724015a0d24e2f2e6bb60d

SHA256
3ade0a6e1cbe2b86e93c262551eefbf270cad8faba8c5f46d1b7fa81f413b9fb

SHA512
7686e374bfb115687f5c179e5fe4e86300b12c86b590a2e13a4aeeb6dbe3065f607295ded423cad0036d036c1c5ab03f245767f0e4d223eeaf603a28892fb5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe

Filesize
520KB

MD5
06b9da828ef7d50d37174bcd013bf492

SHA1
ebce35af00f75faf8bdab3b5e8bc2d1c75afe5be

SHA256
6b458101e004754aef571612742d3bc792e5effa26f63767453b250f292904eb

SHA512
01c9aa31c0403be7995284ff11d7c1f529e3a67b32b33ed96b941eb69bdada242f3e119363e9c5a16119bea752577fbd99ff2b625d3dcac0f106a6eb9d49708a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe

Filesize
520KB

MD5
aa924abd66fb2c619c17710212cdf7d5

SHA1
f3fe74c80568f1572c2184d8071a2e7aaa0aefb9

SHA256
5788aca6e9714744c6d52703ed4a5ee7750d711c6902936b951c4a2c4518cbe4

SHA512
22513328644341a97e69c9560bf01c081ecea35827b82845bea26bbad89732a62bd4885ebfba4673d32bc7ca80a8b026dd661f4be5b4fd886a54882de4c399a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe

Filesize
520KB

MD5
73233ee8c4dd8c60c96a777193efb970

SHA1
1d628262a3b9025dd39df17ab0e1fede097714fc

SHA256
cfef66cce1b9bf1aca1ae57f02a3e60c6764b1bc9d2851c3c96709d62695b091

SHA512
67d3ccdaf708c249a570a6ff4f4e75cd8014bbb9136460273e2fce28b04fab2f78c226886632f791d03b5bb81cccadbd9cc8830b601f1599ab6c5dcec2f7011a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe

Filesize
520KB

MD5
0e5c174c5809b1356a71023fbfed7152

SHA1
d5c446645a7601f708e4beb7dd8e9d015d58577e

SHA256
f3124072b34838e1bd1f1c98e4017701705d22df3cd4e3c65de5921645c1e06b

SHA512
b44b619c449a9f6aec143302a4279b72ffa810451f5f1feebca3a9a8e42ada35aea141c71188b7b8480d58a6ce46114e0c2354cd7ac9c65f08bf882bd425a160

Download Submit
C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe

Filesize
520KB

MD5
38c0fb623671cccec28f35c6c0241777

SHA1
bd180313ace092c802b8188e64d3d9dd735010fc

SHA256
90b1f567d0bb51c587be7084ce2536129a5a38d4fd2e8c418b231317c90d9d7e

SHA512
4c283c435fe54035bf4f4e695f135f83f2709434fdcfb129e8ff9b147771b56c2e1e4ed767a3f46c9a911f24cf5638a63f11d7ab02398e691df9cd5c01b0dd5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe

Filesize
520KB

MD5
cae5b725014a82c9ba96b81702c377c0

SHA1
702421bd2ee6f9ac197a2340885da83568fe4ca9

SHA256
79289bddc0a421473c853f58df17254e485a4a02a744580d59eee6835454f5eb

SHA512
4c023fc26c78ac24fbf607472a859b66382815f5e9bfb85c372eb85ecd5b4de052d96127846ddd3b7f7da01925929de8a1b8116cae586aeb8e8bb1cc5e92e51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.txt

Filesize
520KB

MD5
2ffa10b8c4647b3fb8af823dd885af87

SHA1
9668569e5697e192f78bd6679878beac478629cf

SHA256
0f151230b680a51b148525075d280cb4c556276aae1b07f27f1647784114fa1d

SHA512
ea078db38fcbb366eb219e3be060bda87da7fb630bfe088ef62cf6a3b8effc0364e33cd8a36cf330b7db3b56cfa93f2c4000ec42c961aa6be90d986bece625bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe

Filesize
520KB

MD5
c10080f6f65e39e92b7ca5495f4e9b59

SHA1
97a2f2b8d1663b21c41f7d51682f712c1e5566b9

SHA256
bc04daf6caa6ecc55ce8071d83d4ac397e54d3f2e945ef58785064dd52373219

SHA512
c9fdc476022c1c946b4b631259ffc07c47f15f7ee7e4747b1fe34022a30de1196aefe704461f3f224d13b42b42797e0a8085a2550351a81e5568224fe72960b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe

Filesize
520KB

MD5
42f95c141450c2a7112c51c4c8acff42

SHA1
980b66f8edefb0c14b8c5da67fab0f24a1b129be

SHA256
9284ec566d5387286a58f53534d3c9545c8e68fda235c2516df689a3b13635cc

SHA512
c8cb1acc79f23fa1614176ef78d69b3f01a1bc40d522a09b926f05e1b329f26b925efa0d105313f44d3053438871faeff8677ce4aaf3911bdccd3ecbcc45af6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe

Filesize
520KB

MD5
6b95ccaef900346551ff7a469656b1a8

SHA1
96c07530ef65f17d6ae7447d646213ddf4e97d29

SHA256
e683552e7e22a4e6d56ccf67941f7332c2afaf92055babac43e5ce86890ac808

SHA512
29aa886e0136d858e077207db7dd407ed0ef839bdb63256b2ff1e0f17efe669b19ccbae5c2958acf2501bc90ee26cfaf049f0d2d6d90feda064ff80e1b53a76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe

Filesize
520KB

MD5
6803d5f61a3e288aa963872f7daa94ff

SHA1
c67a976672379913d50bac9c34be3d6661a8a84d

SHA256
be5134a6917602562a3eea76b54c05632943952405bda39154098bfc47093616

SHA512
051936e7363ba0908daccdf14f773e915e456b9ea400ce4937981a439e1486de94295ae646b55556884d224a459e876cd86d80ba40cad5ead5537626415bf902

Download Submit
C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe

Filesize
520KB

MD5
72f1ff88d03d16c0c0e813fc9e0a41c8

SHA1
d4e9f91b1de27f887424477829856c3c491efb61

SHA256
26bc65e8bac4d820db93588dff096aa7eeedbf436f8fdeaaa9298377b4faaf72

SHA512
17697c103342c99444369424a9728b9fdf20bc7fc4cd34fc9075f3039af8c66fe440915d0c29144956fcb416bff66cff37e231b93eb7adb72c9cf9936049ce30

Download Submit
C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe

Filesize
520KB

MD5
a351a374c46058a7020bb221c258edfd

SHA1
fac6dc944e6bf02cb52b37121c0580dad48245b3

SHA256
f82abb5742acd7f265ba5c793335e94275b9e31941f62d2316095362628cf839

SHA512
39cf4c01f90dd6a1efe2eefa8aef1a0d3f3c2d05be2a85caa53165ae52dec0e10a907d0bd0a14427eb8d05f69e69f00716367d4cb016217070f18c30b883fad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRBNMOKYWNXQPRD\service.exe

Filesize
520KB

MD5
c2904726c27c62edcfdba652961dec4c

SHA1
e479be8fc0ec80f99932d26ad3885793615378fa

SHA256
101e2a2bba03f55812afeedd360d51e643cc3ce7d1e0c15be870305f111f6057

SHA512
b8b85b6fbd980e5ccb5382e91050569d85b2238d777e10faa141482501ef53f34d8fca82ae3d42cd1e485b469abdd9549541e010babbf47733a379e695aff321

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe

Filesize
520KB

MD5
1319be852b3ac93061be8cb620ca7919

SHA1
e15bae19f15eb9ef410a7afcb67491e52aab73a6

SHA256
a958dd07644a2a115f7e0f5a46b1c96c3ab07382f6d6cbd83a239046056731b8

SHA512
92ce42232e38bd3512b1f70335b9b62dc777c0e44b805e1acb2b1d548051a664c7668544ea84a3491b74893faaac49cbcdc5e9a9a60c4e8f4968c3cf38384475

Download Submit
C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe

Filesize
520KB

MD5
bc521526298c3bf6e96e01e49beb179e

SHA1
014c22710913b9cb8a3f387c0264aa67e882e1aa

SHA256
98097c56d32f6c6d519d086809e0aa94e1de15fe04c87a394d4f418a6f6b55e8

SHA512
fd919259477930c87d97f0871f7c8937c8c3be061f4a0ff7736e77d87894839c9f49aaf7ebc1d5ee1b793f9638355e89d34f7f4adf300e3fde574c0888d48845

Download Submit
C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe

Filesize
520KB

MD5
38c6aa80461c2a8ba3ce645864fc5c16

SHA1
b5776df8f676b12004a7bd71235ccec530cf8404

SHA256
14bc2382f2178df41a7b6abce5fab2074e4f50eaefa02703de830bd903186211

SHA512
1ca20ef7d1e1f339cf4590f812db917dadca69896c1652b67939b133ab12bac52cae34411af5a039ff85bcf185b67a15dc9bc5cda30390ddff0547d9bfdb1d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe

Filesize
520KB

MD5
6750c4e10c2d462b619e5bef4ec59805

SHA1
c4b1fbf8747d3fdb7ac66242d2e039a4699bc57e

SHA256
c53bab4aadfaa2774404633bfe0c50ba35478b6477ad595fe93f87e88e02b061

SHA512
2a9be692a88fb07962098a864dda6d886ad0602d549217ba9064e3410b9033120d5a28db893ae4ea3b220d16015cc48ee7054a9a9157b6e678201399b9ce53d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe

Filesize
520KB

MD5
ad1189ce23329fa054bc2158fd43bb4d

SHA1
5de0c8f870d04d72290b6dcd1a29fba8f2fa5612

SHA256
9781054c91a12b59745ecc3fcdbc19fa45fee75b4d21ff17c9c829c152816efc

SHA512
621b0d539fccfe76abdace9b15cc0c649c75e0693157ed482711ca6f9a871c3704756500f92c9af988c991c7d47259261545196996d45fa0f9390ca0459b9a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe

Filesize
520KB

MD5
db7c2ff2933095dcfae08c48b9eac92d

SHA1
adf538488b08479cff788339f3fb8160d3a58309

SHA256
9c71d0dcb0cde4a85abde79239d652decbd2f2dea346fb973132c863cade9dab

SHA512
b94cd0801f4bde739cde970cbf0140a51d0093713780fa4ae67689e1887e406f8a058ef5bf6e7ffff14e97d61456b53166918c24ea971ce78902c1045149687a

Download Submit
memory/2160-672-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2160-667-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2160-666-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2160-673-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2160-675-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2160-676-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2160-677-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2160-679-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2160-680-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2160-681-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2160-683-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads