blackshades | 4d626beedf0f1504998acfa75b22fffe6e877adf28beb67e65df66500bb5796e

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d626beedf0f1504998acfa75b22fffe6e877adf28beb67e65df66500bb5796e.exe
Size

520KB
MD5

49c3505efe07989e447370a1742e48a6
SHA1

e1229422ea9335ee6d9ed312ea43b9485edc917d
SHA256

4d626beedf0f1504998acfa75b22fffe6e877adf28beb67e65df66500bb5796e
SHA512

96748f6207d7f036b634bb6f72c2f0058223737b189f4a9bfadbfe1031721d6bc501340f5a21b88ee78f6516bc492802c59a9ab95f7ff02ed602d54bb9e8c985
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXe:zW6ncoyqOp6IsTl/mXe

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 14 IoCs

resource	yara_rule
behavioral2/memory/3812-380-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3812-382-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3812-387-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3812-388-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3812-390-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3812-391-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3812-392-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3812-394-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3812-395-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3812-396-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3812-398-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3812-399-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3812-400-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3812-401-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\XDWGSRSOMTOESIT\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSRSOMTOESIT\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	4d626beedf0f1504998acfa75b22fffe6e877adf28beb67e65df66500bb5796e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 15 IoCs

pid	Process
1156	service.exe
3544	service.exe
1304	service.exe
4152	service.exe
4748	service.exe
1520	service.exe
3580	service.exe
3388	service.exe
3956	service.exe
3336	service.exe
4504	service.exe
4904	service.exe
1684	service.exe
1584	service.exe
3812	service.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IWRPAUHAUWBRKNP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESXIJGPBHMAD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIGKFMBYCUTBCVL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBRAISOJDDSTQLR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TSEMEVNJEUOPYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBRMAHCG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HDBRXPGGIDAJXFT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEBPTYFGDMEJX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SPDPAXDVUQREKRR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYJAKDXCEVRR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EYDOLKOBFBPVNEE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAYTRAYTJXFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YCMSKBADESAONHC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRUXWYKOTABGES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVJVGFJWXAKQXXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSRSOMTOESIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WKLGEHXKRAMRBNW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLVDYOSXEFCLDIW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AEJXWIQIROJYSDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPPQLJQMBPWG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LOEJXWIQIRNIYRD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPEDEAFAVQDL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EPNLPDGCARWPFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYAGOF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ULAURMVGWBGVWTC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOKYWNXQPRDHMAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YCNKJNAEAOUMDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVAXSQXTIWEMD\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1584 set thread context of 3812	1584	service.exe	151

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d626beedf0f1504998acfa75b22fffe6e877adf28beb67e65df66500bb5796e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1892	reg.exe
4508	reg.exe
2832	reg.exe
2968	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	3812	service.exe
Token: SeCreateTokenPrivilege	3812	service.exe
Token: SeAssignPrimaryTokenPrivilege	3812	service.exe
Token: SeLockMemoryPrivilege	3812	service.exe
Token: SeIncreaseQuotaPrivilege	3812	service.exe
Token: SeMachineAccountPrivilege	3812	service.exe
Token: SeTcbPrivilege	3812	service.exe
Token: SeSecurityPrivilege	3812	service.exe
Token: SeTakeOwnershipPrivilege	3812	service.exe
Token: SeLoadDriverPrivilege	3812	service.exe
Token: SeSystemProfilePrivilege	3812	service.exe
Token: SeSystemtimePrivilege	3812	service.exe
Token: SeProfSingleProcessPrivilege	3812	service.exe
Token: SeIncBasePriorityPrivilege	3812	service.exe
Token: SeCreatePagefilePrivilege	3812	service.exe
Token: SeCreatePermanentPrivilege	3812	service.exe
Token: SeBackupPrivilege	3812	service.exe
Token: SeRestorePrivilege	3812	service.exe
Token: SeShutdownPrivilege	3812	service.exe
Token: SeDebugPrivilege	3812	service.exe
Token: SeAuditPrivilege	3812	service.exe
Token: SeSystemEnvironmentPrivilege	3812	service.exe
Token: SeChangeNotifyPrivilege	3812	service.exe
Token: SeRemoteShutdownPrivilege	3812	service.exe
Token: SeUndockPrivilege	3812	service.exe
Token: SeSyncAgentPrivilege	3812	service.exe
Token: SeEnableDelegationPrivilege	3812	service.exe
Token: SeManageVolumePrivilege	3812	service.exe
Token: SeImpersonatePrivilege	3812	service.exe
Token: SeCreateGlobalPrivilege	3812	service.exe
Token: 31	3812	service.exe
Token: 32	3812	service.exe
Token: 33	3812	service.exe
Token: 34	3812	service.exe
Token: 35	3812	service.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
3828	4d626beedf0f1504998acfa75b22fffe6e877adf28beb67e65df66500bb5796e.exe
1156	service.exe
3544	service.exe
1304	service.exe
4152	service.exe
4748	service.exe
1520	service.exe
3580	service.exe
3388	service.exe
3956	service.exe
3336	service.exe
4504	service.exe
4904	service.exe
1684	service.exe
1584	service.exe
3812	service.exe
3812	service.exe
3812	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 4840	3828	4d626beedf0f1504998acfa75b22fffe6e877adf28beb67e65df66500bb5796e.exe	88
PID 3828 wrote to memory of 4840	3828	4d626beedf0f1504998acfa75b22fffe6e877adf28beb67e65df66500bb5796e.exe	88
PID 3828 wrote to memory of 4840	3828	4d626beedf0f1504998acfa75b22fffe6e877adf28beb67e65df66500bb5796e.exe	88
PID 4840 wrote to memory of 2596	4840	cmd.exe	90
PID 4840 wrote to memory of 2596	4840	cmd.exe	90
PID 4840 wrote to memory of 2596	4840	cmd.exe	90
PID 3828 wrote to memory of 1156	3828	4d626beedf0f1504998acfa75b22fffe6e877adf28beb67e65df66500bb5796e.exe	91
PID 3828 wrote to memory of 1156	3828	4d626beedf0f1504998acfa75b22fffe6e877adf28beb67e65df66500bb5796e.exe	91
PID 3828 wrote to memory of 1156	3828	4d626beedf0f1504998acfa75b22fffe6e877adf28beb67e65df66500bb5796e.exe	91
PID 1156 wrote to memory of 4484	1156	service.exe	92
PID 1156 wrote to memory of 4484	1156	service.exe	92
PID 1156 wrote to memory of 4484	1156	service.exe	92
PID 4484 wrote to memory of 864	4484	cmd.exe	94
PID 4484 wrote to memory of 864	4484	cmd.exe	94
PID 4484 wrote to memory of 864	4484	cmd.exe	94
PID 1156 wrote to memory of 3544	1156	service.exe	97
PID 1156 wrote to memory of 3544	1156	service.exe	97
PID 1156 wrote to memory of 3544	1156	service.exe	97
PID 3544 wrote to memory of 3008	3544	service.exe	100
PID 3544 wrote to memory of 3008	3544	service.exe	100
PID 3544 wrote to memory of 3008	3544	service.exe	100
PID 3008 wrote to memory of 3612	3008	cmd.exe	102
PID 3008 wrote to memory of 3612	3008	cmd.exe	102
PID 3008 wrote to memory of 3612	3008	cmd.exe	102
PID 3544 wrote to memory of 1304	3544	service.exe	103
PID 3544 wrote to memory of 1304	3544	service.exe	103
PID 3544 wrote to memory of 1304	3544	service.exe	103
PID 1304 wrote to memory of 1020	1304	service.exe	104
PID 1304 wrote to memory of 1020	1304	service.exe	104
PID 1304 wrote to memory of 1020	1304	service.exe	104
PID 1020 wrote to memory of 4504	1020	cmd.exe	106
PID 1020 wrote to memory of 4504	1020	cmd.exe	106
PID 1020 wrote to memory of 4504	1020	cmd.exe	106
PID 1304 wrote to memory of 4152	1304	service.exe	108
PID 1304 wrote to memory of 4152	1304	service.exe	108
PID 1304 wrote to memory of 4152	1304	service.exe	108
PID 4152 wrote to memory of 2468	4152	service.exe	109
PID 4152 wrote to memory of 2468	4152	service.exe	109
PID 4152 wrote to memory of 2468	4152	service.exe	109
PID 2468 wrote to memory of 2148	2468	cmd.exe	111
PID 2468 wrote to memory of 2148	2468	cmd.exe	111
PID 2468 wrote to memory of 2148	2468	cmd.exe	111
PID 4152 wrote to memory of 4748	4152	service.exe	112
PID 4152 wrote to memory of 4748	4152	service.exe	112
PID 4152 wrote to memory of 4748	4152	service.exe	112
PID 4748 wrote to memory of 864	4748	service.exe	113
PID 4748 wrote to memory of 864	4748	service.exe	113
PID 4748 wrote to memory of 864	4748	service.exe	113
PID 864 wrote to memory of 2848	864	cmd.exe	116
PID 864 wrote to memory of 2848	864	cmd.exe	116
PID 864 wrote to memory of 2848	864	cmd.exe	116
PID 4748 wrote to memory of 1520	4748	service.exe	118
PID 4748 wrote to memory of 1520	4748	service.exe	118
PID 4748 wrote to memory of 1520	4748	service.exe	118
PID 1520 wrote to memory of 4340	1520	service.exe	119
PID 1520 wrote to memory of 4340	1520	service.exe	119
PID 1520 wrote to memory of 4340	1520	service.exe	119
PID 4340 wrote to memory of 4532	4340	cmd.exe	121
PID 4340 wrote to memory of 4532	4340	cmd.exe	121
PID 4340 wrote to memory of 4532	4340	cmd.exe	121
PID 1520 wrote to memory of 3580	1520	service.exe	122
PID 1520 wrote to memory of 3580	1520	service.exe	122
PID 1520 wrote to memory of 3580	1520	service.exe	122
PID 3580 wrote to memory of 964	3580	service.exe	123

C:\Users\Admin\AppData\Local\Temp\4d626beedf0f1504998acfa75b22fffe6e877adf28beb67e65df66500bb5796e.exe
"C:\Users\Admin\AppData\Local\Temp\4d626beedf0f1504998acfa75b22fffe6e877adf28beb67e65df66500bb5796e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYUABH.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IWRPAUHAUWBRKNP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2596
- C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe
  "C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBTXTP.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WKLGEHXKRAMRBNW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCLDIW\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:864
- - C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCLDIW\service.exe
    "C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCLDIW\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGPGE.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WIGKFMBYCUTBCVL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBRAISOJDDSTQLR\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3612
  - - C:\Users\Admin\AppData\Local\Temp\IBRAISOJDDSTQLR\service.exe
      "C:\Users\Admin\AppData\Local\Temp\IBRAISOJDDSTQLR\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1304
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMUHNS.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1020
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEVNJEUOPYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4504
    - - C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4152
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDSTQL.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AEJXWIQIROJYSDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2148
      - C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSEMEH.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HDBRXPGGIDAJXFT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEBPTYFGDMEJX\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\DMWEBPTYFGDMEJX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMWEBPTYFGDMEJX\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCWVKT.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SPDPAXDVUQREKRR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEVRR\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEVRR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEVRR\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSCSTQ.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LOEJXWIQIRNIYRD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCJXFS.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPNLPDGCARWPFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBHVD.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EYDOLKOBFBPVNEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOULIN.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ULAURMVGWBGVWTC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKYWNXQPRDHMAL\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\BOKYWNXQPRDHMAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BOKYWNXQPRDHMAL\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHUCQ.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNKJNAEAOUMDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYRWIE.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCMSKBADESAONHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBCQML.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YVJVGFJWXAKQXXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRSOMTOESIT\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSRSOMTOESIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XDWGSRSOMTOESIT\service.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSRSOMTOESIT\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSRSOMTOESIT\service.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        18⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\XDWGSRSOMTOESIT\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRSOMTOESIT\service.exe:*:Enabled:Windows Messanger" /f
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\XDWGSRSOMTOESIT\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRSOMTOESIT\service.exe:*:Enabled:Windows Messanger" /f
        18⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        18⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        18⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAHUCQ.txt

Filesize
163B

MD5
e9ea081c5a41b847f5f8222a51e7da8a

SHA1
3b129936a5a39f7565d3313c5cf901807bac8cc9

SHA256
83515ba7a54b2fb22dd4585258b0f0bbcf368c4db790c760e686993ac7d0171d

SHA512
ed3791219f776ce47c40ba9dc6d27a7fb7c3b4340bfb49e806aedaa42d35e65dff753f8d35e7124efb0fca5cb3a8de44978f2d34cfc1bf581acbd373202398d0

Download Submit
C:\Users\Admin\AppData\Local\TempBCQML.txt

Filesize
163B

MD5
e864c80c4f5efdc2a315480f86c1fd3f

SHA1
81dd6256b270b07c996e24d78d7e4915910275c1

SHA256
f9b16a287a02ae101d814ffe9da3d54b62eeb7a764009e37aea85741857d0a9c

SHA512
0cdb3617693d393065bc6aebcba918be55e477f36c7f445b61ccd1f21595344c60c7727700b6f990ecc429b832cab46f45b68749e40cd223f9418381c0928052

Download Submit
C:\Users\Admin\AppData\Local\TempBTXTP.txt

Filesize
163B

MD5
c47317449be3119ac5faf6dd8afb6568

SHA1
aa0a2fa34e23bd22a8ec90a09d3ada1695f9f102

SHA256
8531898b620011f35d6c85792e9be138b19e1450ff922d784298e76515c74ba0

SHA512
6af795275ceb9bce6e15f51625c7d6a6b89142d837d1a302bb8c2c284b77dea8e3a7087dc02b7b0f76a2ec1e2f3c964855b95243a28468f1a4eed1ac9097b3d3

Download Submit
C:\Users\Admin\AppData\Local\TempCJXFS.txt

Filesize
163B

MD5
2d520028e84a8884882cd5cd81f2c312

SHA1
3e00a7462187f836ebc40ecfa244430795233648

SHA256
7bbf00a42d15a2349ca65332e0f9c945e41bc79ba207fe97995a8cadf2eb344e

SHA512
7e569d5fc73c9526af9cdd3b7a5545babc70b17053a8ad37aa5409040a16bafc2defd9b38daae53a83fab53ac82d8153426854dbe51ee110ef676d24d389aec9

Download Submit
C:\Users\Admin\AppData\Local\TempCWVKT.txt

Filesize
163B

MD5
5e7c369f040e5935c8fecd8929acc46f

SHA1
183bf9f1ba8b946a90c04f75023571867eaf4680

SHA256
9a0a8fe2e117de9b24ebe8a6f281550efd2de9fa600985f46911987fa43ddb02

SHA512
dfb6797357eea3481ca2f2192dd6e700b16f3399dc3fa11f89bd0838478c9328c9feb01187b691113a7bf4e80f0df675068a6c0cf5079c44541e5d5cbcde4c8d

Download Submit
C:\Users\Admin\AppData\Local\TempDSTQL.txt

Filesize
163B

MD5
f1ad44f89f6ed97d604f082965ccfa95

SHA1
c976a546f6b9af30b00062fe37cd0c2e35ca1a87

SHA256
408ec9757589dd16708e9d5585c85540c991bbc40fa78c7997a484c698a19d21

SHA512
6fa4b4fbbcad61c1c65013547e2ca69dd6577cc39d97d639e009b8148f1ae03ce69dfffa094072bfc19791bbdf539daf449bf13464223c2580c8aeeb1acf7916

Download Submit
C:\Users\Admin\AppData\Local\TempGBHVD.txt

Filesize
163B

MD5
55386822b98d8ed4a5bcd53a2af0035c

SHA1
a3ab20041af41179863e96d11dcccd0cd0b59bd2

SHA256
4fb2ff9347ddf1ae2a8479001afe115e8619a53aab6a4f9b78936c386dbb917f

SHA512
20e563b7612f5e27712bf31ba8c2a1e672cee48cb7de863ed8ac7f3811e6fce325db375557723a300c545821a1df9fb17bae99dd008a50283e0aa6cde7b2e35a

Download Submit
C:\Users\Admin\AppData\Local\TempMUHNS.txt

Filesize
163B

MD5
d4aa8b386bb83f4d6d01503c671da973

SHA1
5b2e569c24444e758ab1a61c5fb7ab566c1e4f93

SHA256
3439a5c3bb5b7b90e697877fbcb9aff63ec15c7f5436fdeead0388855daf4a04

SHA512
74ad241c98f8899dd7d91cd07435e0b0eb1e3599d0222d728a3517e4d0449a6c9063204622b2e369976ba7accdc9c42b14d5259277e39eb5fa2ab1519390e6bb

Download Submit
C:\Users\Admin\AppData\Local\TempOULIN.txt

Filesize
163B

MD5
c01804d04d7aae2fe9daaec9ec0494b5

SHA1
843a1b29b2fd79b22a405437f8608cb14e834a51

SHA256
ceb5a8f506052dc474433e08d21bc248eaaa20e42296748b6b4ddf1c3093d37f

SHA512
1449a9ec7ea5b5c79af8c36f428e52571a9180978c1c377d1c943206c89b58698fda88da94ffd201f56fa5c1e85fe88f811b09938caf1ed0f739626d7d00d647

Download Submit
C:\Users\Admin\AppData\Local\TempSCSTQ.txt

Filesize
163B

MD5
66d29231a0965ffb378da74c5f9a59ee

SHA1
3e802a1dfdae3c66b433e6496094944d340b033d

SHA256
1b0185416eac1b995f34c3d7f9a1da73331b726cd81ab2ef6268d7ecc4c09944

SHA512
fe633fb541bb028dedd9fce0fd946b60b119df39a3af564d9855b6d112337f15c341dfcb3960a3cc0d0b85effa67a4af5a817d0b252156f7eff2400e9c087c33

Download Submit
C:\Users\Admin\AppData\Local\TempSEMEH.txt

Filesize
163B

MD5
0e90569388f1e3736aacbac3f7b2db20

SHA1
7b68d575332edacb0e7cafdb51a2d8ba8b667360

SHA256
6e75bf8404cc9ca5a1f5f00f189305434ad8e05824be7858d86d5eeddc228027

SHA512
17b3bc19c7fefa5318d92f2a86df8585b7bb2ee6322e14ca8af4557bcfde45866ae7bacd64ee1211c91dff50982b26d59a39773c56003a626519b52707562484

Download Submit
C:\Users\Admin\AppData\Local\TempYGPGE.txt

Filesize
163B

MD5
c5d07a39a1aa4a0d5aae2cef61748f1b

SHA1
dfb6a7cc6a061e5d0947747edc760ed8d6676f9b

SHA256
e24507617ba61ad75785b175040dcedfb40da606fdd95f7884f6c0f895db33e8

SHA512
b7af775a14eacee9c7dfa1311dd75bcaab836aed990184467f6fb2155a64ccffded7cb23fd76f003b6209a0e6a46b0d2c363d69d81cc59fffd9646c52d63cadd

Download Submit
C:\Users\Admin\AppData\Local\TempYRWIE.txt

Filesize
163B

MD5
605e8c1dbed62f2e9d3d055e43f738fa

SHA1
0906de600817712cd65a78425ab00680efc981b6

SHA256
a65a6481fadfcb63211494ad4af47841f3f8b0136160cf1ef57f32907fd59cdb

SHA512
0c9a8ff4f78330542d23b3f157c3c7b8e43459697478a97f0fba86d2b8f0cef5b62e5332fbd9bda003d3250920794b6ead4cff40bb96e339f1e601ac9332d248

Download Submit
C:\Users\Admin\AppData\Local\TempYUABH.txt

Filesize
163B

MD5
cd5d2384b4d49da2c34e2255de8688c7

SHA1
733a41ec0edabe6d609161a30250af6b8c648dd2

SHA256
71c0bf74f51800a6ba0ad7a47298704e15b8791b58a112c221f9f3f61543fd06

SHA512
3a69b4e852a0c90fa74f9097fd103386925561c101dcac4bfce5912f00df4b90f9184f6ec6c165fab6507f25d0a92055144ddcc691d2a7861acdad991fa76d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOKYWNXQPRDHMAL\service.exe

Filesize
520KB

MD5
af8c6e53a5b9b7b65b95dad17ae2b78d

SHA1
eeebcc6be57f068b71e034ee1fe4d2bcb81ca8a9

SHA256
04cc5b5eaa29de16ce56dbf7f6d0a4adb8836b0419f35eb43aaefde75d2b5c37

SHA512
1f2fb718454e79aebef79e2cb30bc6fe741681bbedb58a47cc8c395917fc99aa1706981b6d9d387f9fb15b368cdc1baead771abfeabe9931b482e26089163e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEVRR\service.exe

Filesize
520KB

MD5
1a9958f9b0c2857fc7ebee62cffcf664

SHA1
d1376a21da1f85bc1b0a78e159ffec16972c5826

SHA256
f35208070ecdb70bca39c1ad0d1779895d37669504f8b52297f8aee48f60209d

SHA512
d852a8b668c1d42497779e4febc11e5622819b3f46106be49f50f80d3d4145d776d3c11667b7530769223ed47d3863846742d0339f0d1f61f7d2e4ab1b58b62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCLDIW\service.exe

Filesize
520KB

MD5
a070c7ec3a8737622307ce6a6bf26c1c

SHA1
cf51a1c44f92cd0f13f3d9f0081b5281ab1d7c5e

SHA256
dec76b2d9c70294976e9cda832a611064d2d63528edb6a8c37ae26639cf25630

SHA512
3e6c274bd366e0418b7a92f5258dba751e13a2a7942ee9460f362236495cf4dfa644cc603320ee8d065c6660261d24cca5c7f0770334fc1ccf623046853e2625

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMWEBPTYFGDMEJX\service.exe

Filesize
520KB

MD5
63a94bc1efdb8ab387da1e3024bb5bce

SHA1
852aa90a38acd07c201ddd33895eaffa86fd9eb3

SHA256
4bde6b6a5043a1a4bf75f36d6e991c106ffdac44eab486460036c0c27f7fa033

SHA512
eb9233a3bd3e45db9a5c293d2abe4fab79d90f17a2ffa8864c95c5578bee7a82ff271f52caa4858496aadbb5e3755a745c86683986956b5348a826f48a390914

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe

Filesize
520KB

MD5
96a4b72397e3fd7de8865f1d3bc63ed6

SHA1
137b43bdf3d55d777142fd62bf4a467a79c900de

SHA256
3ef4cdb52d55c40e3dc334c50563a93c97019e8bd4c3ad2084c4b7287619fbf0

SHA512
a220bbce087b1b61766215e74326fb0aaaf96b825776c2affa071abd1c28e3538844a281e0104a8f3165cb6c44431e4acb63b580a23ba3ef891f8ab842c58698

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.txt

Filesize
520KB

MD5
2f435c755551fc0f6199b90f35a3949d

SHA1
6933aa65675c59dfb3a67184243b8637f911e5e7

SHA256
74f94df5636f612513a88d4d99a8c2a4576f570dd854c11192bd7680b44fed90

SHA512
82785caefdd841f9937c298b32037f571d476bb377559545fa15fa77b56463a09b4a33442d33ea36557cd4d5733069f981567355aca01837c0b5252470bfc028

Download Submit
C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe

Filesize
520KB

MD5
40d64d1b35bdf71c3a4f077b72756d87

SHA1
5995caa3feba1a298e97815b878bcbbf39c21822

SHA256
cbdeb1cc7ac572ae8049e77c9ff4608eee622ecb96053b623e148ba0fe8c1f32

SHA512
bc1fc2d96da01fafb27e82961ec9a8f39b48cd988f1accc88215e95bdf2ef5a53516da56618adabc280025802490bd06eb75f57f34991537990f1f27e9ced348

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBRAISOJDDSTQLR\service.exe

Filesize
520KB

MD5
5ac8d72d7205728ee5d9d026f394ea79

SHA1
219a14231db6a01a00cd3d9969937c3655147ba0

SHA256
d6cbbedba409ae9ecde501a0c25e2008730b0e6029e11eb40b24988e7ee4f3cc

SHA512
6fc5c3ecfee97cded6ff3b9cb0472596f6996a47bc776d1417195e33a9dd3748945c708684631b2893a13cbb73be951d7f32a6740d8a395db29b44a8ea1419aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe

Filesize
520KB

MD5
1868d87a40834afa61da9f961fc7e9bc

SHA1
be4ef99d2c8da3ade912b3d6a3eafe7c5c484c1b

SHA256
4007eb9806a784c447fe6b849d129c5458e85756ce4a43c4c861d7af269d2c69

SHA512
4916f9ce5137ba1e154009b0c849c3894c7b84c1c0839d84fdbe109bcfbe801f7ebfe7040f4ea07bdd3e79275274bbcbd4ba332f3ce283b7f3451d904efdd347

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe

Filesize
520KB

MD5
b15dea8eb47435f323703a25b8d661d2

SHA1
e97b75a7a91d96306f72095ddd580656ac05e272

SHA256
d21b2732a68c4842073e2669cafa3003fcd8a2e0a42bca21223098db94c9d5ad

SHA512
97db40836665dd5732f51fd2787c7ee9f34d0a59422954b576784ce77286cb037e64049b0cd18de7cf1b34a1b563156e73827a3033b0a5fd22ea769288521aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe

Filesize
520KB

MD5
a65826116333211344289b102713a12f

SHA1
2cea0c70f8198f97f460f860863e9d76151775d4

SHA256
dece1e50a6ff87c19b16579f05896dc08c8bca6156c6703eee6fe00e9a4e468f

SHA512
9e30405d1d8083ec2675bbeb9c042ac61e4801f6593ff4fcfb1f72042eff512b5adaf3ebf2af482eb721c4ba2c42bb4a77d8a15715580427c445dd98868e2ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe

Filesize
520KB

MD5
24ddbbf76548ef8e24cc59a23e8a8c10

SHA1
3bc37e7e3f2217fcce85db43f60d88eda45f860d

SHA256
72a4b5c9495a507093b1236c42d297095e8a9f2fdcf8ac2ac4eb926577cb9eb7

SHA512
180b4525db0dbd3dace2ea4c4ece62e3af5f5a50418392c5c3c1c6465dae1f37b64e7bb375b57d0106ada0eacce5e14365d6940fd9cb5871dd388d241fba9339

Download Submit
C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe

Filesize
520KB

MD5
924071bfe37517ab047d1ac5463c2e7c

SHA1
a18578d2761432687957a780f13791cc9f4e8ef1

SHA256
ca9c4ac1f170d4b5650e37ab9c6a83e1e20d6323c2564625c4d1bd3613ad1f29

SHA512
d8131c0923b9c17b0bb286b6053e30152ce071484d87c3a10fcc2b7cd9c9c7a4487d49d0b978ff9560d0751a9c2d521adc2d2f48f2598bf995da49f91c67f694

Download Submit
C:\Users\Admin\AppData\Local\Temp\XDWGSRSOMTOESIT\service.exe

Filesize
520KB

MD5
77bc698b243d89c41809a452378dff83

SHA1
bb9232cbfa8f16b9bce139eceeb6d488a9f022f2

SHA256
e1a95920d930730b1deb60ecaf175378c6d66b1d4e743e073954952e3e3f7e68

SHA512
b9e8289826f5e05dea108027c3f3bb4a07537322be1cf23942cc5c7a2daa2e99f514974ff7d2466c06afc015ecc4f274c163ecb632710d14a97d0be15a81714b

Download Submit
memory/3812-390-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3812-394-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3812-387-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3812-388-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3812-380-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3812-391-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3812-392-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3812-382-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3812-395-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3812-396-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3812-398-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3812-399-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3812-400-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3812-401-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads