blackshades | 412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe
Size

520KB
MD5

382a233cc77468e58568ce23c2000306
SHA1

67085d0dbd7416c1c81783ff354e8f835f997191
SHA256

412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a
SHA512

a23b399f5e377ca424334253072292c3adc7f616d520960ffad26b50a019fd5e2899a344dbd57c3928eea71ab3e38906914f7676f6d482c1e4772f6d6dcbbd29
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXW:zW6ncoyqOp6IsTl/mXW

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 11 IoCs

resource	yara_rule
behavioral2/memory/1276-666-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1276-667-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1276-672-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1276-675-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1276-676-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1276-677-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1276-679-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1276-680-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1276-681-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1276-683-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1276-684-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LGVTJTNLOEJXWIQ\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Checks computer location settings 2 TTPs 25 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 26 IoCs

pid	Process
4280	service.exe
1812	service.exe
1832	service.exe
620	service.exe
1836	service.exe
884	service.exe
5088	service.exe
1100	service.exe
3108	service.exe
2244	service.exe
4560	service.exe
1624	service.exe
512	service.exe
5112	service.exe
4428	service.exe
1656	service.exe
640	service.exe
3792	service.exe
2888	service.exe
3096	service.exe
4452	service.exe
3536	service.exe
3488	service.exe
2244	service.exe
4280	service.exe
1276	service.exe

Adds Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSXJHLGNCDVTCDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCSBJTPKEETURAA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NOLUGMRDAEHTUPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPUMUITJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YWAOESNLQDQSNGJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNHFMVLRJRFPGB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGHCADYTGNINKVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IVRUXWYKOTABHES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KUQLUGVAFVVTCNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOJYWMWQORCHMLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TAGDSRFGBACXSFN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCVTCVLYBGPGF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XVUYLBPLJXOANPL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TQEQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RRBYNMNJHOJMUDO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SOPCHOPXATTIREY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LGVTJTNLOEJXWIQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CXTOBXJYDIXYWFQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRMPTRUFKPCOWNB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDYUPCYJEJYWGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQTSUGKPDAOXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIHUBLYUSCXJDX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFVEMAABVBSNAHC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWANDRNLPCPRMFJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGELVLQIQEPFB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSXJHLGOCDWUCDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKEETURAB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIARJFAQJKTXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESBIDYTHOJNKKV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ROPBHOPXATTIQDY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGVTJTNLODJWWIQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RISOJSDTDSTQALR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTKUNMOAEJXWI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VRPTOWLMELLUQYQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDSXQGQKILXAYGT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VIOVVGAOXKJWDUM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPCOWOB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DYCPFTPNSESUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANTKSGRH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IHUBKYUSCXJDXDU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBRMAHCG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HMIIURPTOVKLDKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMHXLSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WSUGMTTEYXMVIHU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CPLXOYRQSEINBMV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WXAKQXXIACQMLYF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVTWHMREBQYQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XYBLRYYJAACDRNM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTWVXJNSAGDRR\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4280 set thread context of 1276	4280	service.exe	205

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4124	reg.exe
4148	reg.exe
2424	reg.exe
4356	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1276	service.exe
Token: SeCreateTokenPrivilege	1276	service.exe
Token: SeAssignPrimaryTokenPrivilege	1276	service.exe
Token: SeLockMemoryPrivilege	1276	service.exe
Token: SeIncreaseQuotaPrivilege	1276	service.exe
Token: SeMachineAccountPrivilege	1276	service.exe
Token: SeTcbPrivilege	1276	service.exe
Token: SeSecurityPrivilege	1276	service.exe
Token: SeTakeOwnershipPrivilege	1276	service.exe
Token: SeLoadDriverPrivilege	1276	service.exe
Token: SeSystemProfilePrivilege	1276	service.exe
Token: SeSystemtimePrivilege	1276	service.exe
Token: SeProfSingleProcessPrivilege	1276	service.exe
Token: SeIncBasePriorityPrivilege	1276	service.exe
Token: SeCreatePagefilePrivilege	1276	service.exe
Token: SeCreatePermanentPrivilege	1276	service.exe
Token: SeBackupPrivilege	1276	service.exe
Token: SeRestorePrivilege	1276	service.exe
Token: SeShutdownPrivilege	1276	service.exe
Token: SeDebugPrivilege	1276	service.exe
Token: SeAuditPrivilege	1276	service.exe
Token: SeSystemEnvironmentPrivilege	1276	service.exe
Token: SeChangeNotifyPrivilege	1276	service.exe
Token: SeRemoteShutdownPrivilege	1276	service.exe
Token: SeUndockPrivilege	1276	service.exe
Token: SeSyncAgentPrivilege	1276	service.exe
Token: SeEnableDelegationPrivilege	1276	service.exe
Token: SeManageVolumePrivilege	1276	service.exe
Token: SeImpersonatePrivilege	1276	service.exe
Token: SeCreateGlobalPrivilege	1276	service.exe
Token: 31	1276	service.exe
Token: 32	1276	service.exe
Token: 33	1276	service.exe
Token: 34	1276	service.exe
Token: 35	1276	service.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
4336	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe
4280	service.exe
1812	service.exe
1832	service.exe
620	service.exe
1836	service.exe
884	service.exe
5088	service.exe
1100	service.exe
3108	service.exe
2244	service.exe
4560	service.exe
1624	service.exe
512	service.exe
5112	service.exe
4428	service.exe
1656	service.exe
640	service.exe
3792	service.exe
2888	service.exe
3096	service.exe
4452	service.exe
3536	service.exe
3488	service.exe
2244	service.exe
4280	service.exe
1276	service.exe
1276	service.exe
1276	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 1960	4336	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe	89
PID 4336 wrote to memory of 1960	4336	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe	89
PID 4336 wrote to memory of 1960	4336	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe	89
PID 1960 wrote to memory of 3996	1960	cmd.exe	91
PID 1960 wrote to memory of 3996	1960	cmd.exe	91
PID 1960 wrote to memory of 3996	1960	cmd.exe	91
PID 4336 wrote to memory of 4280	4336	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe	92
PID 4336 wrote to memory of 4280	4336	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe	92
PID 4336 wrote to memory of 4280	4336	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe	92
PID 4280 wrote to memory of 2300	4280	service.exe	95
PID 4280 wrote to memory of 2300	4280	service.exe	95
PID 4280 wrote to memory of 2300	4280	service.exe	95
PID 2300 wrote to memory of 388	2300	cmd.exe	97
PID 2300 wrote to memory of 388	2300	cmd.exe	97
PID 2300 wrote to memory of 388	2300	cmd.exe	97
PID 4280 wrote to memory of 1812	4280	service.exe	100
PID 4280 wrote to memory of 1812	4280	service.exe	100
PID 4280 wrote to memory of 1812	4280	service.exe	100
PID 1812 wrote to memory of 4720	1812	service.exe	101
PID 1812 wrote to memory of 4720	1812	service.exe	101
PID 1812 wrote to memory of 4720	1812	service.exe	101
PID 4720 wrote to memory of 4828	4720	cmd.exe	103
PID 4720 wrote to memory of 4828	4720	cmd.exe	103
PID 4720 wrote to memory of 4828	4720	cmd.exe	103
PID 1812 wrote to memory of 1832	1812	service.exe	104
PID 1812 wrote to memory of 1832	1812	service.exe	104
PID 1812 wrote to memory of 1832	1812	service.exe	104
PID 1832 wrote to memory of 2952	1832	service.exe	105
PID 1832 wrote to memory of 2952	1832	service.exe	105
PID 1832 wrote to memory of 2952	1832	service.exe	105
PID 2952 wrote to memory of 2144	2952	cmd.exe	107
PID 2952 wrote to memory of 2144	2952	cmd.exe	107
PID 2952 wrote to memory of 2144	2952	cmd.exe	107
PID 1832 wrote to memory of 620	1832	service.exe	109
PID 1832 wrote to memory of 620	1832	service.exe	109
PID 1832 wrote to memory of 620	1832	service.exe	109
PID 620 wrote to memory of 972	620	service.exe	110
PID 620 wrote to memory of 972	620	service.exe	110
PID 620 wrote to memory of 972	620	service.exe	110
PID 972 wrote to memory of 4628	972	cmd.exe	112
PID 972 wrote to memory of 4628	972	cmd.exe	112
PID 972 wrote to memory of 4628	972	cmd.exe	112
PID 620 wrote to memory of 1836	620	service.exe	113
PID 620 wrote to memory of 1836	620	service.exe	113
PID 620 wrote to memory of 1836	620	service.exe	113
PID 1836 wrote to memory of 1620	1836	service.exe	116
PID 1836 wrote to memory of 1620	1836	service.exe	116
PID 1836 wrote to memory of 1620	1836	service.exe	116
PID 1620 wrote to memory of 3884	1620	cmd.exe	118
PID 1620 wrote to memory of 3884	1620	cmd.exe	118
PID 1620 wrote to memory of 3884	1620	cmd.exe	118
PID 1836 wrote to memory of 884	1836	service.exe	119
PID 1836 wrote to memory of 884	1836	service.exe	119
PID 1836 wrote to memory of 884	1836	service.exe	119
PID 884 wrote to memory of 2700	884	service.exe	120
PID 884 wrote to memory of 2700	884	service.exe	120
PID 884 wrote to memory of 2700	884	service.exe	120
PID 2700 wrote to memory of 2436	2700	cmd.exe	122
PID 2700 wrote to memory of 2436	2700	cmd.exe	122
PID 2700 wrote to memory of 2436	2700	cmd.exe	122
PID 884 wrote to memory of 5088	884	service.exe	123
PID 884 wrote to memory of 5088	884	service.exe	123
PID 884 wrote to memory of 5088	884	service.exe	123
PID 5088 wrote to memory of 512	5088	service.exe	124

C:\Users\Admin\AppData\Local\Temp\412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe
"C:\Users\Admin\AppData\Local\Temp\412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCQTUN.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ROPBHOPXATTIQDY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGVTJTNLODJWWIQ\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3996
- C:\Users\Admin\AppData\Local\Temp\KGVTJTNLODJWWIQ\service.exe
  "C:\Users\Admin\AppData\Local\Temp\KGVTJTNLODJWWIQ\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSDTDSTQALR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:388
- - C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe
    "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBYYSL.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4720
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WSUGMTTEYXMVIHU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4828
  - - C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe
      "C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYKIMH.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KUQLUGVAFVVTCNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2144
    - - C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWNLPK.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CXTOBXJYDIXYWFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:4628
      - C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHMJUR.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TAGDSRFGBACXSFN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAWOUG.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WXAKQXXIACQMLYF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOMQLS.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBXQV.bat" "
        10⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XYBLRYYJAACDRNM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempENAXV.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VRPTOWLMELLUQYQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDSXQGQKILXAYGT\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\HDSXQGQKILXAYGT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDSXQGQKILXAYGT\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSEALB.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VIOVVGAOXKJWDUM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCOWOB\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCOWOB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCOWOB\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGNCDVTCDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAA\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAA\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEUNQR.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WMIHUBLYUSCXJDX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFVEMAABVBSNAHC\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\MFVEMAABVBSNAHC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFVEMAABVBSNAHC\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLPCPRMFJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQFTBK.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOLUGMRDAEHTUPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMVRFC.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPFTPNSESUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLUQDA.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWAOESNLQDQSNGJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDHIRN.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVUYLBPLJXOANPL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQUPWL.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHCADYTGNINKVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSDXWL.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQEQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNQRWD.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IHUBKYUSCXJDXDU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGOCDWUCDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIQCJ.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIARJFAQJKTXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESBIDYTHOJNKKV\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\IESBIDYTHOJNKKV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESBIDYTHOJNKKV\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUPYPE.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMIIURPTOVKLDKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDQTUN.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SOPCHOPXATTIREY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        29⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe:*:Enabled:Windows Messanger" /f
        28⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe:*:Enabled:Windows Messanger" /f
        29⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        29⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        29⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAWOUG.txt

Filesize
163B

MD5
de685103177214ef5609f27fbae2b9ef

SHA1
9d87da6a7bb756bf53ed3e98bd29e2587dad70bf

SHA256
abbe8d7be1cd5e525106ce0f0ad63a6df3488b5c9f730b4b955836e4c48cd30a

SHA512
330c3958579b8e082787e8ac3eebf6dc06734faeb6aa998c6887ab020ee43eef13e625270706116e7d833ba2c094cb7798b0bc226caed6366a8ff16b2d4cf921

Download Submit
C:\Users\Admin\AppData\Local\TempBYYSL.txt

Filesize
163B

MD5
bd6c1e0e0a1352eaa1215b9f0700b122

SHA1
1fe751646b7375c73d9a41f3c92b244175b4d465

SHA256
a2cff1a63009db7a626e471f4b7c8050f250439a7dc66c4406932e2fc6cabc1c

SHA512
98db5949de05a4d308304b04cfd3d7cc404b37471b41cc83704bf874d9f674e1cb94e1385dd188e10742d50a6f09f61cc822d60a677a066a02e181fbd4ad8030

Download Submit
C:\Users\Admin\AppData\Local\TempCQTUN.txt

Filesize
163B

MD5
3d46921c327a3fa9aa0e0f41fed5bb28

SHA1
092cd7558992de224bda2ff452a1b802ecf9401e

SHA256
a93a3ae29f9d6ea09c858315081afb04f6cb66e9b45b116538a99a8a17e18368

SHA512
757b71f0acf2b57f6825bbdae47cd5e9231f94a8f0c37e4b12a82b4e07829d2fc4b10736b3e1617039bf37dea2048744d1a3ce6ab7c8944b617cc628b1cc5506

Download Submit
C:\Users\Admin\AppData\Local\TempDHIRN.txt

Filesize
163B

MD5
8dbef24a56663df3248ee589d880f7f5

SHA1
4525067ab8fa22278042d588d15431cfeac8280b

SHA256
bd1f4cb4b78716778b303671fb43bf8dc7544ebbb09f7f9f750f61441ac21a35

SHA512
1f240c81221d36e5928652e157505deeafb6d2e363944d6cd18a57bf4b2c34524353a1ed34f33c242db25a9ea5d5503cb3a1ccbcf5470b51737c93d5fd2257a2

Download Submit
C:\Users\Admin\AppData\Local\TempDQTUN.txt

Filesize
163B

MD5
765cfac2744d93e7be75012f00b80ec4

SHA1
7a64e829984e9c1317f4af52d757ea0d1218bcaa

SHA256
228eaf4f12422b85e5a5735d5ea1320115e64401c17640fa5668f2b03640c21e

SHA512
78b9fab231a7de8e5f2bccb151ac2c6229185f0161894ba599cd8487a56996e687c1246c6b8453b78a3706792283b51fba2399cca2878aea7b2191c82e04f414

Download Submit
C:\Users\Admin\AppData\Local\TempENAXV.txt

Filesize
163B

MD5
44594f21569c34d009d11507644dc3a0

SHA1
b77ed4d43286789bdb7bef5650e63eb7fdba4d77

SHA256
a755bf5268042f0221d31e2fa44c8ba6de5f0995c2bfc36088066f3c087a89dc

SHA512
b37aee3c3d4c5eb7e356103cb715c60e45430aa1f3a2bcbf97d31464d31bf266079cae5e21be811da45bb46ddb69d473500cdb9d9c00ed55081b7e1383f49018

Download Submit
C:\Users\Admin\AppData\Local\TempEUNQR.txt

Filesize
163B

MD5
0785099fbe2a4a1108bb431ca07b956d

SHA1
59116a22bbc1f8b9fb7408b671349612414b36f0

SHA256
99c0731e7aab42c4c6171bfef557b0f8b142e9538112803f49425fdb6b44dedb

SHA512
75c95998380997c798eb1d4da1b1d248e6dae96a45ade00a2734d37717b6c5c3bb756ccc90973a80ec3b04b9e072549f6ea1626bc2240dd9ea624622ddb2052c

Download Submit
C:\Users\Admin\AppData\Local\TempGBXQV.txt

Filesize
163B

MD5
de22ef8b67182ee83511f748b59506de

SHA1
d5a55a13069ba516010310dea9ffe3d5ab4abe7a

SHA256
8572da146cf7e79b5970f9a60681fb461064a565c3666e003dc7b63e588eaf2b

SHA512
854d7629f2aa2f040a36dd8c6b9458455f43f06e60343af6d1f147209846a502ac19b3dd93017e7905358f64ca8ed16c7324f9da9b1d0f1545be2d6d5af2736a

Download Submit
C:\Users\Admin\AppData\Local\TempHMJUR.txt

Filesize
163B

MD5
020907a59f8f3e52c210a3d639faeb45

SHA1
8077476d95955a43c0d85e293044ef0dd0ffcbae

SHA256
c34090bd775c7763dfd3517e707e5cf62793ff216243c94a39b04b7cafb7d940

SHA512
51a90c649d9932462ba3da28a656825fbfa8fc6c8c2b98d6098b67bd808b422a1fe340014274e63d04be58eb3816b2312cc6f5452cd728b6d944f65907ed090b

Download Submit
C:\Users\Admin\AppData\Local\TempKTPCO.txt

Filesize
163B

MD5
1e63a957475bd17215171a1e32a152ed

SHA1
0ebaba4a2609e7a0f789e5540ee747b0bf44f261

SHA256
f0374f05c357fb6c4af4b00d6069eba4bc522684105955d122776985b3dac827

SHA512
1cda63e945097d6887670be5638b1643512075c7cf2272beab3eacdeed1df3fcd5072dbc402fe28659f80d6db1009f8191ac6e5bc377599d00758bd304c0fe84

Download Submit
C:\Users\Admin\AppData\Local\TempLIQCJ.txt

Filesize
163B

MD5
a9daf522f6581c751dbb46928c415d40

SHA1
773f31f76b5f439c7e19ae8dcdc2c9ae9684e52c

SHA256
619da60e5f8a04bc59b894b8444f17a97f83e35ba34c6882a7e6e52489ae83ff

SHA512
701c8857d5011bf98c59999e9386228f00d746656ee1a39f33d03cf453cf080874d317deea376194066fb666cf30345a4df83f5b1f92d616164e87adbdccf798

Download Submit
C:\Users\Admin\AppData\Local\TempLUQDA.txt

Filesize
163B

MD5
0887f8a053b6634da227e398c394d81b

SHA1
7e302400941306dbb1fb3a489a23add27b1209d8

SHA256
2f72e4b614fd3ffa97fd87de3f00824cd240546d92b4b5516b558b17097a491c

SHA512
e5fd8516383823287089e860205c0da879e62c25160cfd7dc752c0e265fc60847c03aa72c49d2bd0ad1b71b9b3cedbc0be03a6b81d27410251356f5b4f801eb8

Download Submit
C:\Users\Admin\AppData\Local\TempMHQHF.txt

Filesize
163B

MD5
232c1e7640e5bb90c3b381b7fa0d8f0d

SHA1
65170528eab10150fe022229ff1ea4655423481e

SHA256
06462c3273aed69acbd5cec547e264191c71a883c485f5634affd1bccbe2df1f

SHA512
df34e6aa3b4b3a94f97f9c650f333adb48f93065e958a0aeab38ada6229278d00ddc7200ef89bb065947c04c04ea20ed297089c33b10a85511567be70d70b7c9

Download Submit
C:\Users\Admin\AppData\Local\TempMHQHF.txt

Filesize
163B

MD5
94feb1d592f93d0e067a85161601e956

SHA1
cf04d3753ae1babda07fdf71aa667a497aa5a490

SHA256
eedbc343819537785f5ef9600d0c365dccaa40c1eb47d925a9b764030da9e49c

SHA512
3682b5b4c9e2dddf4b6e2c5a61c6077778c00e2ed15331a5c5ebd9b93130eb87e776e1ae9aac8514a378339aa413f4c9567030f32626847d2eb14db5ddb8e0a4

Download Submit
C:\Users\Admin\AppData\Local\TempMVRFC.txt

Filesize
163B

MD5
7be2b658becf72aeef87809ebe6682c3

SHA1
1093979795cd05c0b5207f38508e442c25ae4edc

SHA256
f177f6af87e97026b908033466da9bc5fed79cc31253f6badef3235a99c52c42

SHA512
41f06f36e74230c39845984e094cb41a2f2c9f7fa6b2053e699b0b3e70caa2d482e7217c36c5a22ac6613d0cfb7799944709cc7e923ba233f917c26feb897155

Download Submit
C:\Users\Admin\AppData\Local\TempNQRWD.txt

Filesize
163B

MD5
3dc97ec90feefc0c9b3b3153414b3afb

SHA1
a7543f473e8ee69a39879142d30c1a921fd81b0d

SHA256
99423de78b000a7ac1603d4c2edc455d84e76120d0f68ce6a5c5ca0f676d5f47

SHA512
96d4c504dd463a9983ba796263a4ae813c8e783efeca71f303a16f4a792724573c181350cf6c812cd91bf4c77a7bb9dbc6c915bab6297195691e47407b575f06

Download Submit
C:\Users\Admin\AppData\Local\TempOMQLS.txt

Filesize
163B

MD5
b217cd93f39c76822c7d59441e2bf72d

SHA1
b74743485601810ac45731f8ef0ccc2e3a1f6e08

SHA256
72ff7221c084a4507b65f996ba9e40a2237cd9ce008748e9383baa25ac9d5f53

SHA512
193521f7f1e1c0257c63db0eedbdcd7737f295107be6e7da3fd61685fd86a0f8f593c268a575342623a24bec0682b1b33a0d25514c73db45761ce9d7f911f4c1

Download Submit
C:\Users\Admin\AppData\Local\TempQFTBK.txt

Filesize
163B

MD5
c7b12f701d00379bb75103783b472792

SHA1
d2171cbf139828b284786c37dc048b76bc9005ec

SHA256
b5ff708bd725ed5f67cc8c7198baf42c88dbf4d7eb42b48630959fcea44cca3c

SHA512
51a9c71b1ceb10d6ba4e48071c33eab13a4873f4ee1354ada78eba87168158fd685b9855d171399f6036cf990ce2890ae3150c6784a3edf732c8399ddf8c922e

Download Submit
C:\Users\Admin\AppData\Local\TempQUPWL.txt

Filesize
163B

MD5
608ee5680b0efcb54ce68f13e4dbdded

SHA1
b24ea2e1dfad3981363d6d947177f7e55dca9b68

SHA256
79d6ccd2d33cd27984aab983eb4662d762eda7dde6eedd63993237506a6f7b92

SHA512
85d1d40793b775e5356250fe38dfceadae45fec7b53151903d7009507cb0c39c3026f4071f1c9bcbf6a3bbc246af2e6998cf539aa9f091ba4b25cfc8459e8fac

Download Submit
C:\Users\Admin\AppData\Local\TempSDXWL.txt

Filesize
163B

MD5
1a3da698ee8fa36e10bff6662c71beca

SHA1
6ef93721e781a68c788b0f3adf5c402e66b49f00

SHA256
02effddc870eab367d08f4d09ebc710e98bc02f3ec9fcca5a98db8e9b0637e3a

SHA512
61ed3b5665204732e3a6d2398e769a5fe6414afa3560a2451e38a5ce5bc4c63a30ebdca8fc84a137fd7f9c0d29682d1b3806630a9c17db2d5d610357500b0200

Download Submit
C:\Users\Admin\AppData\Local\TempSEALB.txt

Filesize
163B

MD5
f5deb26710b7851ab4724896c9fd1ad1

SHA1
5867dd1546065249ad74bde05a34e8fec77f3b59

SHA256
011762c41d884ef1ee23188328242142ec520ea198ea7b3c4c78890085dded2d

SHA512
2fa0b80d127d72bfcdf82f00204d98225f924b4566d3f4fbf9140a7f9d6984735f2e9f50afc74f6fe292ed74d3504ddacf803ffc2e80e1de544cc049f565ca9e

Download Submit
C:\Users\Admin\AppData\Local\TempUPYPE.txt

Filesize
163B

MD5
f5889c76b1ac39051fd1599d897bc679

SHA1
e5ca041584f3e1423d3226efec747cf13069d9c3

SHA256
db8e3d46a393c9833be7704dbbbcf5f4cce39cafc96edee616fa618bb16d9bfa

SHA512
94859c8c3353caa8b0725a9fae57feee7ec6bcd7f2ef52c1b543bd3d7ae846f5e76d4795d611703806224315e8295bc503d69cbb75934cae08ee778529f8cd86

Download Submit
C:\Users\Admin\AppData\Local\TempWIGKF.txt

Filesize
163B

MD5
ca9fbf16b844ad57bea09d9261a930f2

SHA1
629bb99ed9ec053439d835b7cfc00b87342b02bf

SHA256
fc2e15c2b4657ef8ed78c199c16b8a6db57d71c7b99f62619792afb9612e2f59

SHA512
188666337047b481ca307f4855e1c70bfb48f04628d14b2bb66e26a7330fafc5d1e55ae096cdea2d0d2797bdb4070e436065a53bee8a6e43f9edee74e3753150

Download Submit
C:\Users\Admin\AppData\Local\TempWNLPK.txt

Filesize
163B

MD5
13121050a54fa9e2e16b2d66178825a0

SHA1
665b6d1a77458b004e58bf1d4bea12759373c6c1

SHA256
2a36e3419d54483cd4b932099209f8882f2f746a6f202d0ad5b2213d14325c7c

SHA512
7fac727e2114c682be78c746ca301fa30fe69ba10d4cc85f724eb1240a82f876c5d1c774b60c6ee7f08ba783f7c36a0edf8878d3629358febcc7014d9dc8f5ab

Download Submit
C:\Users\Admin\AppData\Local\TempYKIMH.txt

Filesize
163B

MD5
784335baa97923448c31a8629b5580b3

SHA1
59390a69107ac567dfdfd1de174998a98c6b80f8

SHA256
698664c420f3c71c57c938fcc3a29c17ebe4b7b87abbfd28bad7a2f775faa681

SHA512
d45211d3cfb6ed4c7e771ef93c2c963b5b080348eee28c67577a949801b427e70f94b43db7f233dd83c9c8d3c7a03237ecf5acf8f1b178785ee0b5dbf52704c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe

Filesize
520KB

MD5
388d7e94de28a4b3803f23ee1a9be325

SHA1
0e62b531c5b5ba652d784bebe491a9e451ea9c8a

SHA256
136f6e4e3aed96114443cac26c3f6f92f4a99a533fe3f3a8233b82e59f443fe7

SHA512
c917b41784270b473e06fb65ce0318eb574b2c07208f45b83f0d7e4eb00e4f6b28a5d54672429b47440e6b8d4acf522455319624f31f98a42fc6b0abbac2a933

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe

Filesize
520KB

MD5
7671c614177d2d75270377d32a4ec9ef

SHA1
76dd2d74a610c23993c0e54dc748ef694e3e91dd

SHA256
df00c009d7926c709cb4ac14a382f0ba172bc0d55afab70ad35778c1a64c5c55

SHA512
5f1115a4bd18b6e98ab36128e7810961b12e51758d8f27a6a87cd9e9d179e93d44e2201a3c475fd705d61f8e748ff3e07a930060cc572a09bbe94bc2a1c793d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe

Filesize
520KB

MD5
0e6f3cec6b2967c47df4699829cf0706

SHA1
4e0ab8fc6566e40f75c8786bab719d2d0d3f4412

SHA256
d356610d6a9605cf20fcb46cc404e6859418ae6895cbc73078b917bc44a05020

SHA512
38a2a9a1c2dd352f575cd7fc6b2d774780725b696b48ffb5d141abb6ca968982a4da0ec53bf3eb18130ec5acc79fe0a224d104d4f2ecca6dd0ddd5c085af93d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCOWOB\service.exe

Filesize
520KB

MD5
2944be49c1eae86d8f51e2f8d6e1b1d6

SHA1
89f31afd4d2a3789e60003de8b9d419056fbb08e

SHA256
f3060778c02363464b44dc7ba8cf8793d9c681ea9b5966bc138b729952380324

SHA512
de382c7fc169face1d6bf34a96aabce172487234a0f6bb6285bf886d34f13d1ef79c22d092bda86af5519e40b13048238ca530f0c065620f2ec40319fbe04010

Download Submit
C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe

Filesize
520KB

MD5
34ffeb52ec986d8c867340ac3dcc39e2

SHA1
42b4e21a9c12752e72addaeb80a5fc40a0447dae

SHA256
24264f73f0a200aaaed54ff8555c3578a829d87d6628db79f5b1b22f989a1ed3

SHA512
808bab040051927dffb6267a387eca6c075bea024d12d8911433b41323e5f160ac41bfc5d985147ec23f2fcd7e3f66a66eeb27bd9b912d2eaf8158142b3c8e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe

Filesize
520KB

MD5
1b70bf8d7f92e7b429c7c6822c999888

SHA1
3dde1352d8f6508377ed74f3f19c9dcb49c04fb1

SHA256
47a7dd43e76ea66f9c35ed0c69cc3576f24b1e1ebfd11c70a402b195d1944f7d

SHA512
8c1741371f780e39b56d84b2a8520ed0f9542492a20eb0874928033ffff292a2093bc008106fae842f5188bd12e03dbe47024684772e90f2d694edc8cfa3840a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HDSXQGQKILXAYGT\service.exe

Filesize
520KB

MD5
74c197176ae8d7a83bb7211ad2b6b0a5

SHA1
92554706f21a406fcf8dd6c4002764306e3761d8

SHA256
aa4f80a89b67bdc54c5d78a5ff5920f30e0b7d515de3fcb7b1e7f3b982247ece

SHA512
7d5fd4aaf674130855e73c8d12429e6e0575e59f21ddfb5e70106a911269d76cdb40a185814a9b31840978a9424917a09cb6e6cb7e9b7484466d6cdaf4acbc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe

Filesize
520KB

MD5
6046e07bed066a37cdec87c325056eef

SHA1
883ad593bf3523dec0eb7bfaa895c1af73d779ab

SHA256
b7ec6412baeaa58bef45de1ce550fcc7cec7e79f92c13ddf8b41304dbd203cc7

SHA512
3dcdc93761f3c0579726a4c9ac9d40c690acf0c22eb2402a7d1860dbcd480c19d6bddaa240ad5e69af5ccf224baab98d671aa9d16c0c1a49c7c286c194311750

Download Submit
C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe

Filesize
520KB

MD5
d01eae759719ac327b59b0d6a4d3668b

SHA1
6462966370a73bb0ec14eef17f84cafded80d592

SHA256
aa6e997121403de8142da8cde07ff6e4f22b2e4f97e009a23be3c98abcbd5429

SHA512
bf3d1740f2e91bf3103407f6ca06125815c915657accd9cdb067fc1eac7cea1d45a019873c94a84ce7036c1c3b1af2e3151e1f1d19e262e2a2100b47513ae5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAA\service.exe

Filesize
520KB

MD5
696956bc5008ce465ea43878cf14efae

SHA1
ed2479d2390524650d8bf2fc43efcf455ec38054

SHA256
418d89d48f5beffe735d1c4f0c91f8df6cc0b109d89be195068183ee40e76c13

SHA512
c7cdffaaa41ddfc5bd6f9bb2ebc9789c9e23d866dd0cf1b9c0c82be1367811e3a5448f7e99dc9bf407eda20abbcf523f6b4d39b4d982a5b3802ee015ba0f64c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGVTJTNLODJWWIQ\service.txt

Filesize
520KB

MD5
4ccc86c4b1298647c4aed8497a8e80bc

SHA1
21d7281d12213097bea18ce37651611bb5bc1fa4

SHA256
4d04f76da7dac33554a62e53493f0a6440ef171f20ff1fb6e7e465450f0ac459

SHA512
89ed12894eabb2ab25eee7954b663be22e3be69bbe2782bb9d60209b4a1235a239f6a20c5d45a39c212b961f89b0db6a7a16d1ca01c2a1552286ddbc2bca476b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe

Filesize
520KB

MD5
8550301730a9d753b374d0f081bfec36

SHA1
60ebb64380a53ff34e2a7c117121ce5d799850f1

SHA256
a6347b267cd2bc1f6caacded8265d31df0b6c9a3d4cb31a0b14f26abe6056bc5

SHA512
89b5dd861578d60f6b443547f9d79c087f397e1e5520194ee69acabc6de7811f9347b886717c1e7366c1a7d22ea8518bb3973a05a2f32831271767d006216cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe

Filesize
520KB

MD5
2e770de620106f95973f1c3243939303

SHA1
94c72087545727bb33b0325e4da0326033b5950f

SHA256
4ad2be455eb72c9f7997fc741cb519db3a9ff0be23908d8b235679421a766e7a

SHA512
058b7f93cd44fc42b8f39321847bc748ad59caec206881e31a9f50caccc0c3334b8e64a667c3eae8e529bf5cd849822e8c5af683531b9fa49d0a0c6c4e3e4a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe

Filesize
520KB

MD5
9f8a43c52bc8abfc9f99033d6520ab60

SHA1
477df9b80155ddc253ca8be2a3dd634b56051e07

SHA256
bdb7e5ab7c1448673e64ec4a44b2bd9808764923b24febdff8444ed620029cd3

SHA512
73df0c0391e4618decd67a5a7ca30dd44fc61fed1845c84cfe24b581e395f3fa1a0ae6d75e60b6148200e4fa1e1814f7fd9a0c7bcd285c31bedb82a5dc561846

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFVEMAABVBSNAHC\service.exe

Filesize
520KB

MD5
6fd09720a96823856790df1cd7ef2167

SHA1
4a82005c6a4ec5a6a8416990a3210218cdb0f140

SHA256
8018d7d9f384290482c82b5beb3d2f6cf1fa5089d492b7f4d3eb665ed9fc9f40

SHA512
60e0ebeece430cb86d0ec8434c1ba040318351a7f61275668af9000f2a211afb534a8e99256dc9cde701174fcad90d0e9f954e5e88869bb8bf64eff46795c70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe

Filesize
520KB

MD5
c1d5ea91b696a89bdfc7dfdd01b9b43a

SHA1
ddf18d75f04b9025d60233a90e7e1cd2ce083672

SHA256
22b9b19c13b1da5c49e007e6eccc1a089e9607b31a17bfa817015ae62c266092

SHA512
059b231e0fd8fd2f8904f6d67fae52c7aa0a5fbd9e9c934dcd9f30af8df88a29d6c01c83d33c0cce8a5bd13d98bd707e6768dd1066ab1182574efd46585322de

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe

Filesize
520KB

MD5
1d2eb2f9441e40e40fcfbdd72d4c8eba

SHA1
0795df3a9dd1b1a010c53874c332e0ad5ff631d8

SHA256
021cc1c02b8d57eb08cfa1257d09f4eaa5ea89b04928d8dc58ea2688d57a0602

SHA512
10645d53379d977f14e584918a031290f3843c818e4466e5f30838df76c7eee9f01cb74ffb945f643d3d25962cac1f5840c4437a0f2e14422a63ca5cea0752dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe

Filesize
520KB

MD5
49dd41fcf6652ac6a28f67ece79cb240

SHA1
12f83d50eb2bf4d00f74b457b0ae67c9f31dd7b4

SHA256
652a10e7ca93f370d52b2651630494680c02178c9e1b0acf593a090ec563c728

SHA512
28318da7d5a1d0b8aaed03ad353103569eb396b47d8603615e3ad917b1ba8eda7a1ffcf8fac8ac3b8d44767e03e16cffc099a2a5133bab28e90c038ebd66e334

Download Submit
C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe

Filesize
520KB

MD5
d02e2d706183f5a883a19daf090fa728

SHA1
12d32eab92ab72eb14f55406277fe3120e197013

SHA256
a3271813e62fd0e565adface4025773939057b93e5a11b493487aa61f6aeb483

SHA512
94e1b59fba01ccda548de1cd533fa5fa24d0be8fa0bcd39516e9c39906daca76cbf394960a483d809e3330c8b6c45c4c8d38e8881f61bca2333de082c6ccbea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe

Filesize
520KB

MD5
6115fa7e1ba22bb3cb8129737b3624b8

SHA1
8cd6402b09ca97a956a18fa96fb694cb55ba3cab

SHA256
7e2d32145383310552c7180e24e5544daa1681671f60b28ca052ed41ae1646d6

SHA512
990f7c224c40f84f78881842add705f4b0a1db2bec0c022eaa82fc766d3ac4b7ff7eadeaf7d79d8acad3a07a841b6a626e0e00531487ee0d01b7c2f3beab9a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe

Filesize
520KB

MD5
157d49dd13892b11a415acf266875cec

SHA1
e3c785d6b88d5a00c6bc70a8acc2d6c15de7adfc

SHA256
dd104f41e6ae054c9b6e70cdb77dbe5d5109d50c7b99098000bffd5af65f4b5f

SHA512
67f447f2c26ca05a5c441949a418ce09f6fa4b81b1948851e335ba81db20c3085626d2d2744e4805a861aca6176642061958d4427dbee9cc4c372e611d82a9a7

Download Submit
memory/1276-675-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1276-667-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1276-672-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1276-666-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1276-676-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1276-677-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1276-679-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1276-680-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1276-681-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1276-683-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1276-684-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads