blackshades | b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
Size

520KB
MD5

9ad804a81fe08950e54547454d6bee4e
SHA1

a10ef9d0f0c53035435c8fa5af655cd7969bd4fd
SHA256

b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e
SHA512

ee54de0bf577925e3103630dfb27a727d2c872f5c1ae1fbe489192d9ce55afc5632fd766f60d7555f2dc7e5a0f45d07b6653cf8ccdce599cd514a4b961f5d0ce
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXm:zW6ncoyqOp6IsTl/mXm

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 13 IoCs

resource	yara_rule
behavioral2/memory/4520-490-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4520-488-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4520-495-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4520-496-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4520-498-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4520-499-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4520-500-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4520-501-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4520-503-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4520-504-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4520-506-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4520-507-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4520-508-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKFEUVSBB\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 19 IoCs

pid	Process
2352	service.exe
3948	service.exe
4860	service.exe
4072	service.exe
2056	service.exe
2224	service.exe
4584	service.exe
2932	service.exe
4304	service.exe
4512	service.exe
2624	service.exe
2132	service.exe
3348	service.exe
1536	service.exe
5036	service.exe
4668	service.exe
844	service.exe
4100	service.exe
4520	service.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIIKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPFXVEYNDJARIHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PMLPCGCAQWOFEHC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYOIAGNWMSKSGQH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QTEJOBNVMABWSNA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKKRGFGCAHCXSFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XNJIVCLVTDYKEYF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSFGTYAQYM\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EYDOLKOBFBPVNED = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRAYTJWEN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKEETURAB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FBPVNEEGBHVDRQC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WDMVTEAYLEYFVOR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPHNUGGTARNXNJI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QEQBAYEWVSTFLST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOKNUDPT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EFABWQELGLYHTQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVUWIMRFCQYQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MTXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKFEUVSBB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FERHVROTGTVAQJN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDIPBBPUMUITJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SXTHTFDHVWJOVWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQQRMKRNCQXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RRNMHQXIEPIJSVW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPPQLJQMBPWG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\THKGEUTJJLGCDNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBRAIROJDDSTQLR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JMYCHVUGOGXPLGW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMLNIGNIYMT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FUVSBCNTYKIMHPD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWEMDY\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\INSAFCRREGBBWRF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAYTRAYTJXFN\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4100 set thread context of 4520	4100	service.exe	171

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3348	reg.exe
3616	reg.exe
4048	reg.exe
3808	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	4520	service.exe
Token: SeCreateTokenPrivilege	4520	service.exe
Token: SeAssignPrimaryTokenPrivilege	4520	service.exe
Token: SeLockMemoryPrivilege	4520	service.exe
Token: SeIncreaseQuotaPrivilege	4520	service.exe
Token: SeMachineAccountPrivilege	4520	service.exe
Token: SeTcbPrivilege	4520	service.exe
Token: SeSecurityPrivilege	4520	service.exe
Token: SeTakeOwnershipPrivilege	4520	service.exe
Token: SeLoadDriverPrivilege	4520	service.exe
Token: SeSystemProfilePrivilege	4520	service.exe
Token: SeSystemtimePrivilege	4520	service.exe
Token: SeProfSingleProcessPrivilege	4520	service.exe
Token: SeIncBasePriorityPrivilege	4520	service.exe
Token: SeCreatePagefilePrivilege	4520	service.exe
Token: SeCreatePermanentPrivilege	4520	service.exe
Token: SeBackupPrivilege	4520	service.exe
Token: SeRestorePrivilege	4520	service.exe
Token: SeShutdownPrivilege	4520	service.exe
Token: SeDebugPrivilege	4520	service.exe
Token: SeAuditPrivilege	4520	service.exe
Token: SeSystemEnvironmentPrivilege	4520	service.exe
Token: SeChangeNotifyPrivilege	4520	service.exe
Token: SeRemoteShutdownPrivilege	4520	service.exe
Token: SeUndockPrivilege	4520	service.exe
Token: SeSyncAgentPrivilege	4520	service.exe
Token: SeEnableDelegationPrivilege	4520	service.exe
Token: SeManageVolumePrivilege	4520	service.exe
Token: SeImpersonatePrivilege	4520	service.exe
Token: SeCreateGlobalPrivilege	4520	service.exe
Token: 31	4520	service.exe
Token: 32	4520	service.exe
Token: 33	4520	service.exe
Token: 34	4520	service.exe
Token: 35	4520	service.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1352	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
2352	service.exe
3948	service.exe
4860	service.exe
4072	service.exe
2056	service.exe
2224	service.exe
4584	service.exe
2932	service.exe
4304	service.exe
4512	service.exe
2624	service.exe
2132	service.exe
3348	service.exe
1536	service.exe
5036	service.exe
4668	service.exe
844	service.exe
4100	service.exe
4520	service.exe
4520	service.exe
4520	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 2776	1352	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	89
PID 1352 wrote to memory of 2776	1352	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	89
PID 1352 wrote to memory of 2776	1352	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	89
PID 2776 wrote to memory of 2908	2776	cmd.exe	92
PID 2776 wrote to memory of 2908	2776	cmd.exe	92
PID 2776 wrote to memory of 2908	2776	cmd.exe	92
PID 1352 wrote to memory of 2352	1352	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	93
PID 1352 wrote to memory of 2352	1352	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	93
PID 1352 wrote to memory of 2352	1352	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	93
PID 2352 wrote to memory of 5104	2352	service.exe	94
PID 2352 wrote to memory of 5104	2352	service.exe	94
PID 2352 wrote to memory of 5104	2352	service.exe	94
PID 5104 wrote to memory of 2448	5104	cmd.exe	96
PID 5104 wrote to memory of 2448	5104	cmd.exe	96
PID 5104 wrote to memory of 2448	5104	cmd.exe	96
PID 2352 wrote to memory of 3948	2352	service.exe	97
PID 2352 wrote to memory of 3948	2352	service.exe	97
PID 2352 wrote to memory of 3948	2352	service.exe	97
PID 3948 wrote to memory of 4856	3948	service.exe	100
PID 3948 wrote to memory of 4856	3948	service.exe	100
PID 3948 wrote to memory of 4856	3948	service.exe	100
PID 4856 wrote to memory of 1084	4856	cmd.exe	102
PID 4856 wrote to memory of 1084	4856	cmd.exe	102
PID 4856 wrote to memory of 1084	4856	cmd.exe	102
PID 3948 wrote to memory of 4860	3948	service.exe	105
PID 3948 wrote to memory of 4860	3948	service.exe	105
PID 3948 wrote to memory of 4860	3948	service.exe	105
PID 4860 wrote to memory of 3188	4860	service.exe	106
PID 4860 wrote to memory of 3188	4860	service.exe	106
PID 4860 wrote to memory of 3188	4860	service.exe	106
PID 3188 wrote to memory of 4308	3188	cmd.exe	108
PID 3188 wrote to memory of 4308	3188	cmd.exe	108
PID 3188 wrote to memory of 4308	3188	cmd.exe	108
PID 4860 wrote to memory of 4072	4860	service.exe	109
PID 4860 wrote to memory of 4072	4860	service.exe	109
PID 4860 wrote to memory of 4072	4860	service.exe	109
PID 4072 wrote to memory of 3924	4072	service.exe	111
PID 4072 wrote to memory of 3924	4072	service.exe	111
PID 4072 wrote to memory of 3924	4072	service.exe	111
PID 3924 wrote to memory of 4956	3924	cmd.exe	113
PID 3924 wrote to memory of 4956	3924	cmd.exe	113
PID 3924 wrote to memory of 4956	3924	cmd.exe	113
PID 4072 wrote to memory of 2056	4072	service.exe	114
PID 4072 wrote to memory of 2056	4072	service.exe	114
PID 4072 wrote to memory of 2056	4072	service.exe	114
PID 2056 wrote to memory of 2368	2056	service.exe	115
PID 2056 wrote to memory of 2368	2056	service.exe	115
PID 2056 wrote to memory of 2368	2056	service.exe	115
PID 2368 wrote to memory of 3480	2368	cmd.exe	117
PID 2368 wrote to memory of 3480	2368	cmd.exe	117
PID 2368 wrote to memory of 3480	2368	cmd.exe	117
PID 2056 wrote to memory of 2224	2056	service.exe	120
PID 2056 wrote to memory of 2224	2056	service.exe	120
PID 2056 wrote to memory of 2224	2056	service.exe	120
PID 2224 wrote to memory of 1856	2224	service.exe	121
PID 2224 wrote to memory of 1856	2224	service.exe	121
PID 2224 wrote to memory of 1856	2224	service.exe	121
PID 1856 wrote to memory of 3108	1856	cmd.exe	123
PID 1856 wrote to memory of 3108	1856	cmd.exe	123
PID 1856 wrote to memory of 3108	1856	cmd.exe	123
PID 2224 wrote to memory of 4584	2224	service.exe	124
PID 2224 wrote to memory of 4584	2224	service.exe	124
PID 2224 wrote to memory of 4584	2224	service.exe	124
PID 4584 wrote to memory of 1336	4584	service.exe	125

C:\Users\Admin\AppData\Local\Temp\b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
"C:\Users\Admin\AppData\Local\Temp\b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMHLIT.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INSAFCRREGBBWRF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2908
- C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe
  "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMHVUG.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIIKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2448
- - C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe
    "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBRAQ.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JMYCHVUGOGXPLGW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe
      "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIJGPB.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3188
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RRNMHQXIEPIJSVW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4308
    - - C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4072
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIWESR.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMLPCGCAQWOFEHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKSGQH\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4956
      - C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKSGQH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKSGQH\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIXCH.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QTEJOBNVMABWSNA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWVHQH.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "THKGEUTJJLGCDNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBRAIROJDDSTQLR\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\IBRAIROJDDSTQLR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBRAIROJDDSTQLR\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVORSX.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XNJIVCLVTDYKEYF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSFGTYAQYM\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\RUJDCJSFGTYAQYM\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUJDCJSFGTYAQYM\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEXVEE.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FUVSBCNTYKIMHPD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSYEFC.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WDMVTEAYLEYFVOR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXNJI\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXNJI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXNJI\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEXXLU.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVSTFLST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBHVD.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EYDOLKOBFBPVNED" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOXTAA.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVROTGTVAQJN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUITJ\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUITJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUITJ\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBPYKK.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXTHTFDHVWJOVWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRMUJJ.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EFABWQELGLYHTQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKCFUL.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FBPVNEEGBHVDRQC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMIQHF.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MTXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe:*:Enabled:Windows Messanger" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe:*:Enabled:Windows Messanger" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempBPYKK.txt

Filesize
163B

MD5
a10f7849903f762fe4fa5132e5c47f3d

SHA1
27d9b61d92991d2ca2c120be1b4a6f071f8a240e

SHA256
03b747a65a1f1813551874b2f4e6133dbac1efd8bba28abbbe874d38199286ed

SHA512
4d922b5fe3e2e3a385bd7cc7e9b21ac489e9eaf1e9fac1b3675804cca68bfc6f9ca37a7f7726d19956d0337abdd44de758e338356d07fd4bcdd27e8ca23a92cf

Download Submit
C:\Users\Admin\AppData\Local\TempEXVEE.txt

Filesize
163B

MD5
686b24e4c367071993a83915263b1915

SHA1
2d481834bc244c15e5a34212787fe546e07bd395

SHA256
5e45194aa0aa06c3575a8a671be72f3d0e641846927f7059455876a7217508b5

SHA512
7120cf159132116fa2242bdcbea83850a229597514f051ca12e70316423dea99f5f37a8434a23e781672d1cb4cb75ea1930ba61b45d44410539a232e98456833

Download Submit
C:\Users\Admin\AppData\Local\TempEXXLU.txt

Filesize
163B

MD5
e5de1b650a040f7ed8e3978daabc5c28

SHA1
db4850e5559f3819fac04fdf8f26e3e49236d3ec

SHA256
2b2495ce7a09174320c02e2c2de22fbd6b9a994ee0db0a431f91710d99e1ee1b

SHA512
d6086ff2a215c267d9b1d4107ac792d39dba76cd172f4a4160a90100b70986a8267ef229b8e82deec6e19e62260297de9a2bb8305fbe8e387b493716f5d7ac6f

Download Submit
C:\Users\Admin\AppData\Local\TempGBHVD.txt

Filesize
163B

MD5
fc4fc4d0e67121ad7c4abfe5e5e1a17b

SHA1
5c85394b9f2aa5972caab7d5f3e1730b143a05f9

SHA256
f5b5a300415e73e733e16403c35df1f1cc3957bd86cde08570adeaf45d904b17

SHA512
e57b463c78f1b96e1030f8973a404437c833271a878577b73bbbea0918f3ad263950dfa169dcf01380a01a24f1a2873370f89c09e4277cd95cabdbb277afd3d0

Download Submit
C:\Users\Admin\AppData\Local\TempIJGPB.txt

Filesize
163B

MD5
5e1d8a46f437c4e9a6fe85d58c75b79d

SHA1
12cc239275a2c37db21199bd21aff3de4320e6ed

SHA256
ea484951f99420de52f854c7eeaa98c4c86ac4be7eb6131d5fa8eda6fa2deae5

SHA512
606e5794079bdd9c5627db45a179ddfa70a6516178e85ec48c26d89140805adb3427f6d701379c487499a7f9f661e81aa14ca609b5cd938c73d40076cea01c1e

Download Submit
C:\Users\Admin\AppData\Local\TempIWESR.txt

Filesize
163B

MD5
bbcc6b1c9886c6a741c335dcef2e804a

SHA1
79c7ec4052fae7f99fc80e415ee787ff776a07b2

SHA256
dc7d2d70cb89598459791fe500c5aef92ec17022c24ea7a98062342b48cfb5e7

SHA512
683ce0bb38ee31de9c3bb51db94827d92e700027e9838b8d89fdffcf113f92ef16321595713593bac0a99763648a82f1e681bc1c070da6e3f0a134f6598030ef

Download Submit
C:\Users\Admin\AppData\Local\TempKCFUL.txt

Filesize
163B

MD5
7d0ece9061326b3f0bec1f3aadbeee1d

SHA1
d6328d289452b93dea659e3274f6b87641eb7d30

SHA256
426871e63013836a31257ef02c783e28917c901a2f742afb164a0ecc018089f2

SHA512
c8b5e955044cb782d85d1b0a9cc1d80d5471f8c552c2ac8e413cdc7b29ebab75c449829e2327d58b15aaa2b030027b932a4b094ae0d7ef50943cd42f178d7e9d

Download Submit
C:\Users\Admin\AppData\Local\TempMHLIT.txt

Filesize
163B

MD5
aeb619c58db84bfc89811dafbcab675a

SHA1
26f1120082a6ecf48b6c214b53f91cda1199ab76

SHA256
2906f9d0233d09aa833d8edeb914787ea5ffe4ca88eb28028ec97dce176791f5

SHA512
663a6bc330d7863604ade84ea1316a928678b0ffbb723efda8a72edc671840bb86888620e4742cd1457e243ae9a2fb10f1869de17641e6e0d8b409cacf16c372

Download Submit
C:\Users\Admin\AppData\Local\TempMHQHF.txt

Filesize
163B

MD5
7ab00c2d0ec3d74d552ef677edafa12d

SHA1
9f553e5d98a60c4e079c57b27d9545066605e02f

SHA256
898f879244a352030d694967feced2116a26e20ed258ec21ec23df4afaacfdc5

SHA512
23c9e91b67f5f3868d16d43fa5d3271f945ac0c48dfe77ca6aea7e0b24832a86e8b8da26647b200b25e1cf6445f75802bbd33566e25eef9ed5c86e9949f8a9e3

Download Submit
C:\Users\Admin\AppData\Local\TempMHVUG.txt

Filesize
163B

MD5
baf076017ce9a15274838dfc3ccb3df0

SHA1
e869ee6bdfdea84ad825d4e2a18a1fa071dbaf36

SHA256
7acf9bc5aca7e4de92000e2f3c85f91bd70fad70bf45c7d77a7c875d6e360676

SHA512
2abdad597b2651ec4959cdfda9f886f9af1f17b892d819560d398d7a02836fbe1e162339fe71b2f0dbc62aed2e43f6d65548374c50c03487cd27e297de89b095

Download Submit
C:\Users\Admin\AppData\Local\TempMIQHF.txt

Filesize
163B

MD5
d0599a1e9a892afe76f42cbe1bcf621c

SHA1
ef751a540b9b623e2c20f82c4d24cb47e27b33e5

SHA256
95db162aae0b0d9018face50a8affef69cc31f339c4dceecb5f7cad02364a436

SHA512
6e71ddfb6486872377e67212b129d25ed46df1337bcc08734a9c8caa3f292d8ac73b1a4cfa962ccf9263946ecb6fe7b865faa7c075cee1dadee17a49854b9708

Download Submit
C:\Users\Admin\AppData\Local\TempOXTAA.txt

Filesize
163B

MD5
1deaa0e7e91adb490760d3e2a9d22033

SHA1
2e82112affbc867f3246b3b014f9812907ba8f95

SHA256
4e23500f8bd487d7fd43758b1f18aeb70b1b10b0866fe9866db30f32c9e56299

SHA512
806d9f68def96ce1a7226ac174e588ac44867ec86a2ca6760555a813c5536e48c48ae53cef7f9916fe2e1263c6198db41d88bce58b2e17a6732178b50304af23

Download Submit
C:\Users\Admin\AppData\Local\TempQBRAQ.txt

Filesize
163B

MD5
cef2128b0e13fed92a33cd1920b2911c

SHA1
fb6117ca23515910ffae5a552fc12a713d4f8c45

SHA256
956671004b583f6be50daa963baff8a7238fac9802fd5ef41607c997f8e1b31f

SHA512
375995feca64edab83ce297f8f79ce7098dd1722d3c1590a6d1d11921426e4941e1aedc55b394094eea132886390d3f2e67fcfff65c5bc316e6f5ba34a7deb45

Download Submit
C:\Users\Admin\AppData\Local\TempRMUJJ.txt

Filesize
163B

MD5
6e4eb1aff71472700c6dbaba4991f332

SHA1
215401affe570d39d40d2a4d5945572cc7262f2f

SHA256
eff0b06f4bc2c3fd694ca6fa8e257692da14b5b0393728b93ba828371fc702a5

SHA512
d65a71fe39e5bd37a19e404f21e259944cd7e3b0675f76ffb5fa1df30966cc21276c7e1a29a090b420090d8e6667617436c5672d682f2101864d016719d46cce

Download Submit
C:\Users\Admin\AppData\Local\TempSYEFC.txt

Filesize
163B

MD5
8f6e93c5788ab7e862a4a8b9e2cabb88

SHA1
180c97764b02dbfed167be2e645232661fc91787

SHA256
b0c5204560e86ad1cb2b86b11c05964e66767ea84d4f66d08473aca923a09f30

SHA512
ca30674b3ae38184d576363299827452a90ad8ca5099c36ae7298240e2cd5361fa6162d4d863b18a3889a56dae0e67f9703e47e1819e3169e18e5579d4ef74bd

Download Submit
C:\Users\Admin\AppData\Local\TempVORSX.txt

Filesize
163B

MD5
719397b8907346c4ad731a88431e5c88

SHA1
82e39b402855a2e35b17ab993176de88b6b1310e

SHA256
c40402a3913cb5375385289df865fdae8b19d7f4d88dac3486d08b72df431fe6

SHA512
8a7af850aead7ae73d9b1aade5fd5ed5d1ca513894c80e2ac2ff5c2c2b2a4109d3296b688d2e6a06a1de3536bdc7c51caaf03a2821619d5f5a86ec1bb8c23c3d

Download Submit
C:\Users\Admin\AppData\Local\TempWIXCH.txt

Filesize
163B

MD5
0ad409bb339a7544ffc8c18d068f0b3e

SHA1
1e9dc0a36c2d3f9e056c1a2461713f022257a26f

SHA256
60d9bfdb8407dc9d21914d4391bedabfcc82ac96266711737290458fed40027b

SHA512
a96496d3dfd02e8e15e0ff5d7451113812a47aa0db62af0fa11ce43b32c42080439706b213bba0157f09e026368ddb9c882f23ddf8e793aaa82e20cff51630ff

Download Submit
C:\Users\Admin\AppData\Local\TempWVHQH.txt

Filesize
163B

MD5
7b593bf2a665809e91a49a77c42d6089

SHA1
66a1b1148a7b2aa03d0009b81cc63ce3bc03af26

SHA256
00d6c93ea77ac1bb1003e181315232d4e15f14a1fcb355fce33483f0200193c5

SHA512
21ab4ac22dbd9ab532f989bb798a5bafd8369c7e4ce544ec97254f22227bbcfba6cbd72e5e36706c163d81cf3802154bbf6f83f68105e8717daad4df1f3d42c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe

Filesize
520KB

MD5
0dff1919456ed426bd5807da4e9113e5

SHA1
5d4e7d8116492e57683e51e84c78308948d30174

SHA256
2a289239e201e979144f44432f242548c7c4dd72a805b7c677574ad974b11af4

SHA512
a5284968fced5ee8fdb4310d245decb3bac5b505f314074f1d1a0421e2d23bd1a039132fa4f50deb0219eb918ebc60a404681cf8b8f84b1f2a4d1d4c5d0573ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe

Filesize
520KB

MD5
3eac3581f82e09ed062890a249caf76c

SHA1
53a798c199fa74d75358378f8fc9edb0eac2a436

SHA256
b7f97f74f929974f222433fa3ba807bd2594fc381d721c52e7d2dcd01ea08755

SHA512
0a8d38dddc1294feafb9fc73bc72f9524324f06b53939a2786771c063e6d9919da3fb812a22b606f9ea1d072636602ddfc277605acd9b14e70fe01c61d005981

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBRAIROJDDSTQLR\service.exe

Filesize
520KB

MD5
5e694019d26affedc2a242c3e9ae98c6

SHA1
fbc144322cb738a896dbf05740c1bfac54af4ef0

SHA256
848cb715584a204ffad2e672df15c14f4edaca1801054d7ecd946739f48ce07a

SHA512
7dc100560404f2be7b6eccb48b305dbc23f68c1984c0eedbaecde3ddbfca96e505c6742bfc53a17986f8a059d2ddd0b7591f10fbd543849d287dbc98aa43d442

Download Submit
C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe

Filesize
520KB

MD5
9b5c6d728cdae1f302d6aaac8940c31f

SHA1
2e71c1a8217a2cbbbecd43f4f025f865875d6e5f

SHA256
c886ed1b718dc5ae0be42e5331d7f876c389e56d445e4ecf655cab668abd3b02

SHA512
7fe192a93a84f1c85c7d5ab516c5e43ee916c46a9e55617ec128b2237139b8bd6645ac56790e65183dab46d6f95810a017dbbd37fe89b15a131858063ca27249

Download Submit
C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.txt

Filesize
520KB

MD5
895f2c02f4e5a61a0760207d6f2ffb9b

SHA1
465ccb99a914d683b691a2a16e8c7b940d42b9e3

SHA256
4081138ce2944bb7eb1a7b5bf191cd9c2a7e6f7e4d20c2c6c1461f426ed71276

SHA512
06bbc0fb356b97157f306c9669c0b668d03f158401064947ba0f02ec54efe4ad5c66ea83f912e1cbddc1456f13eb66386dfcc90d87e609c1dd933e98bd7bf62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe

Filesize
520KB

MD5
842949e89155ded8e871e77700b1a5de

SHA1
af7b82b4e030c3fb79797c6d23b55159703b6579

SHA256
36d2de2031686c02582486a35de38a93edef3faf96898cb4d9d16d5a78a2c9b7

SHA512
fd8d899116cfbae762acb6dfcbd217c1d4eb874fc8fbcef0b9272bd0c08c3db56756bbb91339db90ec1333471d36463c8491a01bce7b40a3d08ec54defc20278

Download Submit
C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe

Filesize
520KB

MD5
2dcdaddffa8b62236eda3bd993f6cd3f

SHA1
c8ad9b768da7c4d439dafb706b7a52d84278938f

SHA256
242f71d65e472879a5da11d39a957d1e8678576a9ef12f2839d1ed6d79e44288

SHA512
89637ae7c9a50415c2401e62915d8ea3a2b51b58323e94aa9508b9f3f062f25659f0eaad808a724f5c2bb182365e242c59f2807d7a65e94ebb20dd94b9c4acb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe

Filesize
520KB

MD5
0391f152858dbcef005b24c7b8a02c44

SHA1
6c810597dfc6d9767fa41b4ab97bb7e2a4c60e8a

SHA256
b433f728f98c41fdd12c1544ec2a7d11703b96c12f4727e84e0945c95360c6c6

SHA512
54a5334b6003c6dc6799eb5b35bc086f57557e75afe5b0d913ee7a977b7dde8c5b3f70471e081abaa6a80e46631daa1e83e39093158fcc0e71dd4a8c611151e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe

Filesize
520KB

MD5
4b00330b640be1200f608d5fd5c36007

SHA1
ae13f3618faa593897f9b88188e5892bcf49c8d3

SHA256
0c40c0f2dbd38edb624131522f68ad4be478cf62b4c33cb0c1607b3f5b26472c

SHA512
0fe286f9f71b993b1dd00cc1261c73a00bed72953ad52169fa91d82092c6ca5396beb2187ce1915818d8e0a2ce98bd8e49d16f0704b0e783d801c3cb36d54bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUJDCJSFGTYAQYM\service.exe

Filesize
520KB

MD5
b0f28adcc8ec93f5b9f0f89987269b50

SHA1
af85fccfcbcc5380ee4c1c285452b0f07a3e721a

SHA256
06e0b5aacca36da1423c8ba44f2ca815b3fa6c4b6f5ba3cbb10d94e83beee1a3

SHA512
f606bd2f34b154d8e8a3886df21c7cae44f4dbbd32cd6eb644235b781ea77f317b62429a6ad0fb5ea91f55e5d5e85b4651f405d8157a9d1d45381f54e163b64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe

Filesize
520KB

MD5
7f9e6ad0ccf1207735875bfea5ba7564

SHA1
4f44f203093e4c9b0a793bcd30dbe085e6e23143

SHA256
76ac9bf75bcc9734c5985f07be80036d6cceac248734debacc684aed5791d7b9

SHA512
f19cdf11775054cf9d8dbb8c591570d701c7259da2d32e7fa510f43371bfb07bf6945710d97257a892dff6ffdb06b1c5d653142370e949e8a8cb0744a3b4d21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe

Filesize
520KB

MD5
9141261bf88f7034f27a103be9d02ee0

SHA1
a6c9f7655ccaf0666d74cd662ed2d4647e605fe7

SHA256
df4d47e0ccdd1e49c68c4ea8b63e5d8d69d2be4ec64fe00126d725e50e1db813

SHA512
22af567f854a3d7215ae4d00ebb4b6a376d2f1a1204650ae56bf599027ff4275f114ff59f6ebfa45e81bdf4b666a4c85ade739d17bd619389cbd126bf14f2cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe

Filesize
520KB

MD5
1150557cb7c040cc1c9180e772884eb9

SHA1
32c221f4c86eff1477dda34dadaaa6583f065e7c

SHA256
605796e43c65b497ecf35c8f793434fcd008b16b564e59275ad0c12e892f587f

SHA512
8b54f77d7fa281ed184cf9d402d469bb685a1114708517614d59d7d1799790f50441c81be5be61fa8229372b60e5e3fb400459e074b548feaed3fc83af699d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe

Filesize
520KB

MD5
49714c4c821a1a7d7fa5425984a46234

SHA1
06f890c9d9ba20f15e16869272ea9d00129b9933

SHA256
4ad869e69dcb03973fbdbaa51287495b755093b855b2fc9fa74e93c0645a6bbe

SHA512
f9f96055b46e1e84375c02482b83cc892b116c10a45d1aead241a285deefa88882d72f40233180970695e46e81ac1287551dd942344f299d2b4cdf1a335b3d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXNJI\service.exe

Filesize
520KB

MD5
a4d90f8c7a632a40550b54a9f4b69c91

SHA1
fbb389b6ef5ab7e827031ab087299e097c9156e7

SHA256
e856219e02527cd9f47cee6435f92f58ce913d87bf437e41a20e0d3bb4205f2e

SHA512
83c27b179b50e8ec8f4240440235c19dc00d2a477c4771614a63bf8d189cf2c3cae6adfb95bccc8c48c0df6f7e1cfeb9f564d32e48e26d141666f699ddd1ed09

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKSGQH\service.exe

Filesize
520KB

MD5
9800926a1267bf7115a104a37102b2cb

SHA1
9f79490290155fad674df522e4169bd16df7c9f3

SHA256
00d40b5ae1d94ff16c905369cb869231ffbda66beb264821a631ede2e829320d

SHA512
b0a4fda46817c991bf8b30bd203ae75e7cc28c2d278e3f1794dc41d16d00f94d145db256dd4bfd57cb173c7cc73113d07d465dfcbfc84515ffe0da8ffe036b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUITJ\service.exe

Filesize
520KB

MD5
73c2dea935405c25f8add1ba15a0d6c2

SHA1
a8bfe435382f19b7a81cb18c9f39f77ffc7a0d9f

SHA256
fe61c574ea3a9da6e738e5de4a2ba8b57264e5c15322fb7f5c1153200027e8a9

SHA512
0ab60e67b05d30ff3d6f9fd74f02a51c5afbbfeb992792f58511ac55e3d203f95d7fecadc28e5eb692d91562f36867d8a97b09c2d80862ca38a0d1bf1f021909

Download Submit
C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe

Filesize
520KB

MD5
139dbb564b43da3f36b71ded29033606

SHA1
20c63e7d748696308814ca3484a111420e407cba

SHA256
617284a57a8effa9270e8daf8e7b7212ba591b6ed7df206c2def78af4fdef47b

SHA512
fea55ce4c0504abebcf1a61078eedd38b6140b323ba70a947c4685aeee17fbe7bda1c9184a75ffd1ffd0623df4184ca743c7b62f8716d5a55b3120b17978222e

Download Submit
memory/4520-490-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4520-488-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4520-495-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4520-496-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4520-498-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4520-499-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4520-500-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4520-501-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4520-503-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4520-504-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4520-506-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4520-507-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4520-508-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads