blackshades | 0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe
Size

520KB
MD5

8dd7367d4f6217d792a9f5ad0fb3b64b
SHA1

2c18e3bce4620eabbf9f4f233c8fc0f16863e5f0
SHA256

0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd
SHA512

1ef67766e26d8ac0ca693e09ccb8ccc021f0f1b6934f13f875e9c7e73e7f7b6f898b99b62edd54272c42070af63565685997a03c6f738d7968e121b626906712
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXp:zW6ncoyqOp6IsTl/mXp

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 12 IoCs

resource	yara_rule
behavioral2/memory/4776-666-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4776-667-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4776-672-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4776-673-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4776-675-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4776-676-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4776-677-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4776-679-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4776-680-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4776-681-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4776-683-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4776-684-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GBXQVOEOIGJVWES\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Checks computer location settings 2 TTPs 25 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 26 IoCs

pid	Process
4212	service.exe
2516	service.exe
3968	service.exe
3472	service.exe
1116	service.exe
3408	service.exe
3336	service.exe
1632	service.exe
1092	service.exe
1744	service.exe
4364	service.exe
5112	service.exe
4424	service.exe
3564	service.exe
4540	service.exe
1376	service.exe
4576	service.exe
1152	service.exe
380	service.exe
988	service.exe
1340	service.exe
2204	service.exe
2884	service.exe
2080	service.exe
4428	service.exe
4776	service.exe

Adds Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YWUYMCPLJYOBOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVLFDKTJPHXPDND\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QWNLPKSGHYAHHQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFDGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VIOVVGAOXKJWDUM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCRVHIFNGKBM\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TXUIUFEIVXJPWWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRQSNLSNDRYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ADOQLJLBPWFRVGS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLYUCXNRWDEBKCH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIXWKLGEHXKRBMR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYGQGLDULKAU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MIIUROSOVKLDKLT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFFGBGCXSFMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AYFTSENEWOKFVOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NFVEMAABWBSNAHC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SXTHTEDHYVWJOVW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQQRMKRNCQXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RNBNWBUYTPQDIPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLQXJJDXBEUQR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BGVWTCDOULJNIPE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQPRMKRNCQXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SFNEWOKFVOPYOPM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDSXQGQKIKXAYGT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YALQXYJBDRMLGBW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUPSWUXINSFCRQE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EDOLKOCFBQVOEEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWKKLGFLHXKRB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\URFRCBFXWSTGMTT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCONOKIPKAOVEP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFNFXOLFVPAQPQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPBJBSKGBRKLVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMCNGEHXTUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAEOTMCCEGUCQPB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBVXLQVBCAIB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QVSGSDCGYXTUHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASDPOPLJQLBOWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HXYVEEPWMKOJRFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGVFNBACWCSNBIC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RDLCUMIDTMNWMNL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GBXQVOEOIGJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NQBGLYKSJTPKTFU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKKSGFGCAHCXSGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SQUPXLMFMMVRQFO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JWSAVYXLPUBCIAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YOKJWDMWUEALEYF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCBDXDTOCJE\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4428 set thread context of 4776	4428	service.exe	210

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1908	reg.exe
816	reg.exe
3160	reg.exe
2612	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	4776	service.exe
Token: SeCreateTokenPrivilege	4776	service.exe
Token: SeAssignPrimaryTokenPrivilege	4776	service.exe
Token: SeLockMemoryPrivilege	4776	service.exe
Token: SeIncreaseQuotaPrivilege	4776	service.exe
Token: SeMachineAccountPrivilege	4776	service.exe
Token: SeTcbPrivilege	4776	service.exe
Token: SeSecurityPrivilege	4776	service.exe
Token: SeTakeOwnershipPrivilege	4776	service.exe
Token: SeLoadDriverPrivilege	4776	service.exe
Token: SeSystemProfilePrivilege	4776	service.exe
Token: SeSystemtimePrivilege	4776	service.exe
Token: SeProfSingleProcessPrivilege	4776	service.exe
Token: SeIncBasePriorityPrivilege	4776	service.exe
Token: SeCreatePagefilePrivilege	4776	service.exe
Token: SeCreatePermanentPrivilege	4776	service.exe
Token: SeBackupPrivilege	4776	service.exe
Token: SeRestorePrivilege	4776	service.exe
Token: SeShutdownPrivilege	4776	service.exe
Token: SeDebugPrivilege	4776	service.exe
Token: SeAuditPrivilege	4776	service.exe
Token: SeSystemEnvironmentPrivilege	4776	service.exe
Token: SeChangeNotifyPrivilege	4776	service.exe
Token: SeRemoteShutdownPrivilege	4776	service.exe
Token: SeUndockPrivilege	4776	service.exe
Token: SeSyncAgentPrivilege	4776	service.exe
Token: SeEnableDelegationPrivilege	4776	service.exe
Token: SeManageVolumePrivilege	4776	service.exe
Token: SeImpersonatePrivilege	4776	service.exe
Token: SeCreateGlobalPrivilege	4776	service.exe
Token: 31	4776	service.exe
Token: 32	4776	service.exe
Token: 33	4776	service.exe
Token: 34	4776	service.exe
Token: 35	4776	service.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
5096	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe
4212	service.exe
2516	service.exe
3968	service.exe
3472	service.exe
1116	service.exe
3408	service.exe
3336	service.exe
1632	service.exe
1092	service.exe
1744	service.exe
4364	service.exe
5112	service.exe
4424	service.exe
3564	service.exe
4540	service.exe
1376	service.exe
4576	service.exe
1152	service.exe
380	service.exe
988	service.exe
1340	service.exe
2204	service.exe
2884	service.exe
2080	service.exe
4428	service.exe
4776	service.exe
4776	service.exe
4776	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 4704	5096	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe	89
PID 5096 wrote to memory of 4704	5096	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe	89
PID 5096 wrote to memory of 4704	5096	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe	89
PID 4704 wrote to memory of 3980	4704	cmd.exe	91
PID 4704 wrote to memory of 3980	4704	cmd.exe	91
PID 4704 wrote to memory of 3980	4704	cmd.exe	91
PID 5096 wrote to memory of 4212	5096	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe	95
PID 5096 wrote to memory of 4212	5096	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe	95
PID 5096 wrote to memory of 4212	5096	0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe	95
PID 4212 wrote to memory of 1572	4212	service.exe	96
PID 4212 wrote to memory of 1572	4212	service.exe	96
PID 4212 wrote to memory of 1572	4212	service.exe	96
PID 1572 wrote to memory of 1832	1572	cmd.exe	98
PID 1572 wrote to memory of 1832	1572	cmd.exe	98
PID 1572 wrote to memory of 1832	1572	cmd.exe	98
PID 4212 wrote to memory of 2516	4212	service.exe	101
PID 4212 wrote to memory of 2516	4212	service.exe	101
PID 4212 wrote to memory of 2516	4212	service.exe	101
PID 2516 wrote to memory of 1160	2516	service.exe	104
PID 2516 wrote to memory of 1160	2516	service.exe	104
PID 2516 wrote to memory of 1160	2516	service.exe	104
PID 1160 wrote to memory of 4984	1160	cmd.exe	106
PID 1160 wrote to memory of 4984	1160	cmd.exe	106
PID 1160 wrote to memory of 4984	1160	cmd.exe	106
PID 2516 wrote to memory of 3968	2516	service.exe	107
PID 2516 wrote to memory of 3968	2516	service.exe	107
PID 2516 wrote to memory of 3968	2516	service.exe	107
PID 3968 wrote to memory of 1236	3968	service.exe	108
PID 3968 wrote to memory of 1236	3968	service.exe	108
PID 3968 wrote to memory of 1236	3968	service.exe	108
PID 1236 wrote to memory of 3064	1236	cmd.exe	110
PID 1236 wrote to memory of 3064	1236	cmd.exe	110
PID 1236 wrote to memory of 3064	1236	cmd.exe	110
PID 3968 wrote to memory of 3472	3968	service.exe	112
PID 3968 wrote to memory of 3472	3968	service.exe	112
PID 3968 wrote to memory of 3472	3968	service.exe	112
PID 3472 wrote to memory of 1988	3472	service.exe	113
PID 3472 wrote to memory of 1988	3472	service.exe	113
PID 3472 wrote to memory of 1988	3472	service.exe	113
PID 1988 wrote to memory of 2656	1988	cmd.exe	115
PID 1988 wrote to memory of 2656	1988	cmd.exe	115
PID 1988 wrote to memory of 2656	1988	cmd.exe	115
PID 3472 wrote to memory of 1116	3472	service.exe	116
PID 3472 wrote to memory of 1116	3472	service.exe	116
PID 3472 wrote to memory of 1116	3472	service.exe	116
PID 1116 wrote to memory of 1796	1116	service.exe	119
PID 1116 wrote to memory of 1796	1116	service.exe	119
PID 1116 wrote to memory of 1796	1116	service.exe	119
PID 1796 wrote to memory of 4572	1796	cmd.exe	121
PID 1796 wrote to memory of 4572	1796	cmd.exe	121
PID 1796 wrote to memory of 4572	1796	cmd.exe	121
PID 1116 wrote to memory of 3408	1116	service.exe	122
PID 1116 wrote to memory of 3408	1116	service.exe	122
PID 1116 wrote to memory of 3408	1116	service.exe	122
PID 3408 wrote to memory of 3524	3408	service.exe	123
PID 3408 wrote to memory of 3524	3408	service.exe	123
PID 3408 wrote to memory of 3524	3408	service.exe	123
PID 3524 wrote to memory of 1888	3524	cmd.exe	125
PID 3524 wrote to memory of 1888	3524	cmd.exe	125
PID 3524 wrote to memory of 1888	3524	cmd.exe	125
PID 3408 wrote to memory of 3336	3408	service.exe	126
PID 3408 wrote to memory of 3336	3408	service.exe	126
PID 3408 wrote to memory of 3336	3408	service.exe	126
PID 3336 wrote to memory of 5008	3336	service.exe	127

C:\Users\Admin\AppData\Local\Temp\0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe
"C:\Users\Admin\AppData\Local\Temp\0e3b42ca05aa9fc68bd72a00bf54a9c58465723dd7a8bf72d853e8ce7a7fbfbd.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDCGYX.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ADOQLJLBPWFRVGS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLYUCXNRWDEBKCH\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3980
- C:\Users\Admin\AppData\Local\Temp\CLYUCXNRWDEBKCH\service.exe
  "C:\Users\Admin\AppData\Local\Temp\CLYUCXNRWDEBKCH\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBOWCU.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIXWKLGEHXKRBMR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYGQGLDULKAU\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1832
- - C:\Users\Admin\AppData\Local\Temp\PSHBYGQGLDULKAU\service.exe
    "C:\Users\Admin\AppData\Local\Temp\PSHBYGQGLDULKAU\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJAESY.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NAEOTMCCEGUCQPB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4984
  - - C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe
      "C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEUVSB.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1236
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NQBGLYKSJTPKTFU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKKSGFGCAHCXSGN\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3064
    - - C:\Users\Admin\AppData\Local\Temp\SKKSGFGCAHCXSGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SKKSGFGCAHCXSGN\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3472
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBXWAN.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SQUPXLMFMMVRQFO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2656
      - C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYPEN.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIIUROSOVKLDKLT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFYNW.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVSGSDCGYXTUHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWPSTY.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YOKJWDMWUEALEYF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFXWEF.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BGVWTCDOULJNIPE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHNSE.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SFNEWOKFVOPYOPM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDSXQGQKIKXAYGT\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\HDSXQGQKIKXAYGT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDSXQGQKIKXAYGT\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPVHDN.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YALQXYJBDRMLGBW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEHISO.bat" "
        13⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWUYMCPLJYOBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXPDND\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXPDND\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXPDND\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBIWER.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:656
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDOLKOCFBQVOEEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYOPMV.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AYFTSENEWOKFVOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAHC\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAHC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAHC\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempULAJU.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QWNLPKSGHYAHHQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSEAKB.bat" "
        18⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VIOVVGAOXKJWDUM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEYXMV.bat" "
        19⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "URFRCBFXWSTGMTT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCONOKIPKAOVEP\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\TSCONOKIPKAOVEP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TSCONOKIPKAOVEP\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIOTE.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNFXOLFVPAQPQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHBPXK.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXTHTEDHYVWJOVW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJRDK.bat" "
        22⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBSKGBRKLVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEPWMKOJRFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBUUJS.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNBNWBUYTPQDIPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempABPYL.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TXUIUFEIVXJPWWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTFMQC.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLCUMIDTMNWMNL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        29⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe:*:Enabled:Windows Messanger" /f
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe:*:Enabled:Windows Messanger" /f
        29⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        29⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        29⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempABPYL.txt

Filesize
163B

MD5
07eac661d1b577e5b372b206c824c2d5

SHA1
5e31c3f675be31225f7fe90c39b52161b503a7ee

SHA256
a42445b8898e0d4dfb54b8bc5d5e14c56ee52930c88e113112e0dce363d4f36d

SHA512
b17da091c3f5075e2fe629252281c160e439bd3e64aed6fb5bcd147076b9c083f5e2e9615d66651b0595d4e74049b4c5b1ed51d6f608069a49a554453abcc579

Download Submit
C:\Users\Admin\AppData\Local\TempBIWER.txt

Filesize
163B

MD5
c78a9c4a35ade4129cca9d1e9fd17d34

SHA1
bec85bc03f9797ec011767d39a60fd8a6912f417

SHA256
8cd75fc67979d0c3c56d6730ecc15e6c45ef6dab654666368196e5e97d1491ea

SHA512
d49cfec62ab739821ffe1b2bb947e5d29fa76810203c0e03784e267832c23a7449c192da90bc048474f15a34663b610733f4195462ade9298584a0538864e118

Download Submit
C:\Users\Admin\AppData\Local\TempBOWCU.txt

Filesize
163B

MD5
6f1a7e5fc08d9b73a0fab66c2a3482e7

SHA1
5b9c09b995a25634629551c0fd3085792cebba9e

SHA256
5df8e747c665064ebeb250345f9ba9e1bff2952d58294c6b428c6f07bd0a2ccb

SHA512
6b476dcb679b66adb08b3d9f5bc459a52e14c6aa9c9658549a39d8da052502c387ac4b5f7630cf42ed9bd13c066418b9c1e5cc44af793eeadbcfbc98ca29acef

Download Submit
C:\Users\Admin\AppData\Local\TempBUUJS.txt

Filesize
163B

MD5
1c10cc5dd081071a8c9f9e88cd54f054

SHA1
4e5864bffcd4e685202bfbb6249254ff8ad5e4d5

SHA256
ed10129c59a32eb1acc13febdd0bba63fabc1353eb5747aa1c1814344e5a2d99

SHA512
8757d10d98aa8efcb3a00e7546193c2869d010f561e9025e4467582e4c71778f24fcb4307a0877e9744cf34829d57eb0cd1dc35677ca1ae0a4f1ded2153f6d97

Download Submit
C:\Users\Admin\AppData\Local\TempBXWAN.txt

Filesize
163B

MD5
dd6932a3b7d6529ab249b4bfc8073942

SHA1
bb837c58ec101d020abee17175e027113292e16d

SHA256
26cfd2b5011c72ced30ce3c1d6f035d2f0c8503d388b758d7707de25181e397f

SHA512
f30ff83a5ac13b90353197e61bc9b7a4eb4a0d0b56f29fd3ce8ad0dad8e5ef970fc00cdc2640275e04c37f07c6ecf161d3e979a9681f03f29adee7c75beddc0b

Download Submit
C:\Users\Admin\AppData\Local\TempDCGYX.txt

Filesize
163B

MD5
98a48fc383994d72e4125e619f9010e9

SHA1
143d6cd2110e16f3ddbd5cacb19517c854666c54

SHA256
799f3cee72b102a7c84dbe916c134765a9afa5ec28459a852d0827a471d1b473

SHA512
2dbc58e8026752432bbbe1ec486c71de005df6098fb6f7d31c69adf83125de11e5b83dd5731d7f0471c090af6835cb60c17b9eb566b3a31e387ed3358d3dc325

Download Submit
C:\Users\Admin\AppData\Local\TempEHISO.txt

Filesize
163B

MD5
a25d42e3332a171c66fe06552fa5c783

SHA1
7e2ce119d1afb2d8c2cf70415e7167b4b15b649e

SHA256
2bf32c9468238225291fb211e1e3396ec45548da3317765cd07fbe3217097c5c

SHA512
e2202f3e1bfbbf91f3a14454e3d84950e92cf6aacf31a1eecf8bd570950fff0221a023585e88a4ab02d35a938e0530d9ff2a772e857eaca88bd16471257f7209

Download Submit
C:\Users\Admin\AppData\Local\TempEUVSB.txt

Filesize
163B

MD5
ca73329520d24a732ceeb018d842fc35

SHA1
245cbbeaad5e658c6c38a76f87b498ab08c24357

SHA256
8d069bc8af86f7524619d91d9c4d0323c2dd4965b67baa1ef48decbdb2a42c9f

SHA512
4273a0d2806abf75765c4e343c4a08675a5b62a497eeba09d8109c22cb78f376df4963323cdf2d325611c400b55c964d3eb4df307ce54290261673176e24382e

Download Submit
C:\Users\Admin\AppData\Local\TempEYXMV.txt

Filesize
163B

MD5
502355bc3a6cdf3113d94e77f0da4b3f

SHA1
01b720ca6512770e3bb1d082949f3d5e9a557ddf

SHA256
1ff69e5324fcd04e3e4c353a98844379f27c717706596457e91e01c6548dbbc8

SHA512
fa6d15cf9354b56f3d21ebcdd3444a4af491caa1cefa7a215a819e07322892daf45afd796187d017a973562b6d7683d09ba24f0ce1e1aa5499d21dfbb46ba94a

Download Submit
C:\Users\Admin\AppData\Local\TempFXWEF.txt

Filesize
163B

MD5
6e8519bc2aea3fafeb96ae4d1444918b

SHA1
2b3264139e7c55771a6f0d7f8eb9eeda263f57af

SHA256
47e0bde7988a9719fdb95510902da1c61009fb5de58cb88461417459de8543bd

SHA512
e300bf043a2c6aed75a75109b2ea6b24d0f9b6f25331a8e27bceff38fbf95332cd51e8371b7c64390f4b9a4a2295bbe75a802da91cbf71b13f7471ba0a0472ba

Download Submit
C:\Users\Admin\AppData\Local\TempHBPXK.txt

Filesize
163B

MD5
e5416735d419202f0b2b4cc0ef9130d3

SHA1
e661248c8cd24ab4e7ddd3bd533182bb1cd36890

SHA256
15d16777edaff03d475262cee4b6249011d8ac1e3f3c767f76b3ef2cde8bb7fb

SHA512
3cef4730d169459837e7cf5b0d20b9db4461ddded462000487a18e2d9553c94e1c5114c9c990ec07a4750b4feb0ad7b723dfb052a695cf2562861dbf18401349

Download Submit
C:\Users\Admin\AppData\Local\TempJAESY.txt

Filesize
163B

MD5
4232565fe5cf0d971b4e7c2a035e6d25

SHA1
ccbfcc9c9af8b8252c5b4e1f02bccecfb105c8f5

SHA256
cc6c5af9c416482c3ff0d26f976158500362864180cb00781f9cbcc28a11d8e6

SHA512
1ae89cc1f670a6cc7d658745eccb30c142e2a0e06d0a5d4e34481e503783c1ee6258dac5831c6851b3f4e501415eb8b94af60f0daa7fafe0d57659b5f7ce19c2

Download Submit
C:\Users\Admin\AppData\Local\TempMJRDK.txt

Filesize
163B

MD5
469f3e5ea5e8cd2c141fab98f2f64e1c

SHA1
b515a918878ae4e5e292acd4b871388bc445161e

SHA256
b058ef8d671332bb18372495bcc723fdd18cfa6f7353d9c16ca997caa2df44e9

SHA512
2f86365055577c89259b0340e93a9c88856955c1fc7f1f3b177e2feba6442905f27438414a0f230123bd16f7e299805e39940c8b4eb5e2c3fc73a936af17c219

Download Submit
C:\Users\Admin\AppData\Local\TempPVHDN.txt

Filesize
163B

MD5
d40a0c18d832a36bf002f6f30278d8de

SHA1
e4948378a08b92217d97d780e1dec4312c0194c7

SHA256
95ee90953f75383af826b2cf37e6af7f67007b76424eb41648f528cacd9680b2

SHA512
821b45c84a4a7bee59a3906b4bcce87b50cc17eee92a7838d90a919cb0fa230746e0067274a7c777e1ab71978c9cf51ad03be0459c965aad2b19b2132b79a34a

Download Submit
C:\Users\Admin\AppData\Local\TempPYPEN.txt

Filesize
163B

MD5
a6f8fff8839430c2dfedd5e3eee66ff5

SHA1
f9a0ea98a7dbfbf88823f54dd53c488d7d87cc39

SHA256
22c943efc1ed8a31cc82099fe174f082eaca134c66969d69686fc737a0f3dae1

SHA512
657e620edf1a26f959c6168088ad6bf1d670cb8325fd01e07df5a7e518284bde0cb3f8f8ca9a4bbb90b1b6cb3b9c9229b981726333cd701e6c224b575d4bb7b7

Download Submit
C:\Users\Admin\AppData\Local\TempQBUUJ.txt

Filesize
163B

MD5
a92f22d6aeebba42c05729c0c7188c08

SHA1
0de2b31be037959418e09bd24a547bba663e5fbe

SHA256
a75a1c5499d9c5d310706d6f0f239247e0eb87c3a09adf045d8514034a81bfad

SHA512
8334a9f1a511194751060865501a1e4c8bd24c625a4251b2ebed829b4e88da66b69af1857786a2fac53075e5774662c1689113e0c370c74a160e21e7b306f35e

Download Submit
C:\Users\Admin\AppData\Local\TempSEAKB.txt

Filesize
163B

MD5
ec7205e658cd693604eb27c1bff154ea

SHA1
0d74b751d59897f58117de8f5792906eb3384999

SHA256
bb1eb2bd2b1b7e9c4a422652e188114df59a9174ad71cfc5a1b34b64710c6abf

SHA512
64bfa32ffc94cc0a31a31a68f356da2bf80020bec52a5c5b001eadb8f3aedffcd0f12163566573e99374e25d305f751a26a23a2866a91e11308c55f34e27b9f8

Download Submit
C:\Users\Admin\AppData\Local\TempTFMQC.txt

Filesize
163B

MD5
3488c42776cae9cf6a043bd69b5b3a01

SHA1
28e32f5297c43ec9425abede002111219a889773

SHA256
0e42af7b06259cedbb36f5f5cd93304a118dbf23d0669c8ff377af17c0b672d8

SHA512
ac3a4249f324b5c65b00209cadc5df204088db2be8b983deebd1066641d13ab81c59ec2b5ddcb90bef97a4ff1f03868f64eb73fac1d7e9852dd8f5773b8c64fb

Download Submit
C:\Users\Admin\AppData\Local\TempUFYNW.txt

Filesize
163B

MD5
117ae64377fcd0b3f6c17a5b75e92c67

SHA1
ee86d6b3c20bf61b55e604ff505b8747d0029d81

SHA256
a71761e30a6df1e77c66f5be61bc5389695a385496ee0322a1a826371100a9d9

SHA512
d3c5b086da58d502d90bcc6336e50fb63c6f70b7144840073444238d1fcf27c04ee29fc5adc93315eb522e873b6ec2d1c6a43a8d04e9a02d6b4f07a915a5040f

Download Submit
C:\Users\Admin\AppData\Local\TempULAJU.txt

Filesize
163B

MD5
84d13f21ac130d518e20847d96719c61

SHA1
e667ed85fa61dfa0925a29fa3e6f5edd64f1d54c

SHA256
186b2daa8a082dc0c0107dbf42340a3baf59d07f718628518fdf7d5574d6486d

SHA512
b001b07cdf583f770d1a6487eebf2d07ef1b882d36cd361064e40972457d42c1cec81d5f38106eb21fa94ffc16a6b0ad4499935ccb8c326b501685527c47e12a

Download Submit
C:\Users\Admin\AppData\Local\TempVHNSE.txt

Filesize
163B

MD5
acb7ab035be64854518bb5e306b13a8a

SHA1
3ae4a2941e51e178cebc11957ca3806c19d038cc

SHA256
ac9b520d8435c2660f3a4906cf6390899591023291fd11f24b71eeca061e0478

SHA512
e79c5491cd63c1eaa425a637063f08a8edc94b8739d8bb167e860ae4906bac31937c3fe1774e7e5b06f6c4c7d7990fa30d8f91e4965d450a42bf0662510262aa

Download Submit
C:\Users\Admin\AppData\Local\TempWIOTE.txt

Filesize
163B

MD5
7bc1568c0ea56d833fd555ca981900a4

SHA1
1badb9c152c03d3f526ea68d3e8ff7ad8844d1ff

SHA256
35c549f08c6f868d64abb27faa9d9eac4544abdc3f60d1d3baabf1cd5e08afc5

SHA512
4362bf54caccb65c568507a04f3abd31d312ab379f04928c2c10f61d9e1c7ab94ecd80a3569b9cee46344c3cd3c31d0211f44581793b0aea1fc8351dc47bbbe7

Download Submit
C:\Users\Admin\AppData\Local\TempWPSTY.txt

Filesize
163B

MD5
a91918fdc98719e6d6f2c530f96a9b07

SHA1
d8a31cca0a55cce4150268c87b08eeb887678eb4

SHA256
2d73f2eaa5465293c8e211037b183c6f7f6e5466341446dae40317615f077b0c

SHA512
4a12cd8f1eca8c3b9b59407de2bb3dbd63e11855420595cc64efd840e04188b3de73cf3c0862824e4eb65c9fb74d25714b9a44bbc05485d3517e7bafa61db77f

Download Submit
C:\Users\Admin\AppData\Local\TempXGGPL.txt

Filesize
163B

MD5
43e14122200fef8f5997e783f53474c1

SHA1
986d97b9b549be4e4f9756b254a31e4e1fd0161f

SHA256
691afad25b2c41cb4f17208a63dfe9d593ecdccaf556e3ebf869acca7e4319ca

SHA512
58f18c79783e449bfff34fb07c1a06283c76cb2642396c013b9dab1b095e8593625a4189585d51e8619947bff40d899b57e0691ec2ab119522f455f20aee9e70

Download Submit
C:\Users\Admin\AppData\Local\TempYOPMV.txt

Filesize
163B

MD5
addad52619be4a9e9f63ded16e6b450a

SHA1
084578cc6b0f16c5ba2f5420f007b790d685e687

SHA256
3a1f0a3eb732c3e843fc89d3bb5264e6559c28b2adaf6105262557ef6dc6eb4a

SHA512
1042082c639c126b1700c1755ec64f6dc6d1d2b536175b8c89cfee4c38066bf3b6b0b213af189372df4065e9f1273f392a121e02762d4f0560278369ed7d25a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe

Filesize
520KB

MD5
906c06b52f8cb8cf11ace7eabe66ea25

SHA1
7895b13ba86dbd094b959fe9f137355df39ce39d

SHA256
2cb4739211321f60476b8647135ff4eaaf0c378fbd086691673a2cb0f857940d

SHA512
c99b35cabb3097a7223bde007c06b99eb69d658233388d4eb0b9c8e3762cde3544a20c91e6d8b3d1f9e4c5550b77ebbe9e26a7b62e0c396cf57ae680b8a5b4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLYUCXNRWDEBKCH\service.txt

Filesize
520KB

MD5
61178f5b7c44e1b97b0dcf54fb9d55d9

SHA1
64778806bf0d42cdb4d2674a32ab18e8efa604cf

SHA256
c5fa683619ef0907feab0fa8664a16a5a943de859bd1dbea862b71b90e2901c5

SHA512
997d61be94d20c17a8931711771d6719c045225b358c21af740d2ba691ae0ac83d226d44d3bca0d1a9a03288c9d3b1069dfd3241864ffc60c1858a6bc4bd0775

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe

Filesize
520KB

MD5
aae71e0e585bd273e4666aa2c6250b99

SHA1
0aba25660f21a2491dca3d4b8fa391a098a10fe2

SHA256
0a67572c3c3770d953d58f90dd4414b0e7802d4b04dd7b035ca3e2907902615d

SHA512
73afc3b2ffdf5248db76f9d4e6ce8e194bbda46adb7fd4f37699c70e301956f1384d143374cc06369f187b697bd6d8ae207c12019d98439ffc925a7d5ca5d738

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe

Filesize
520KB

MD5
7cf4f9f2e534a11795f18402c0dafc28

SHA1
fd3284a53dfe17255e3f103105680362b13852da

SHA256
e040e6e45be1cbc216c081fa72f124d3d8c1784e64518bc2bb376cb3fbc54813

SHA512
d006eb244499bd9919c25f1a78b85d55ef1a84bc0cffa9a887b2de7ed77b80432d2be40bbc693d803f2046ab04ffd9fc6713c2bba097f0196c8ac03664bf748b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe

Filesize
520KB

MD5
be755994ef1111533f55fb13465d8ead

SHA1
b0bd7dfc6135fcb2a77488f847624cde032608fb

SHA256
2cdd84d9cabe86d95c25e22e893f4de17bea0399bbd2f7940cc3d3fcac2ea45d

SHA512
c181de77ed3d3ecf986d363cf97ec3b05392a6a58bb2a6e08ea84390762b6fb56db3cff27a08bd8775e225fc85bb0d5545bede959c09df2b825a3b8bc437696d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe

Filesize
520KB

MD5
5525bc29b77a80d3a4d82df434c5ee01

SHA1
d8ba1224d17c5b79523b2da70f9583d4c5aa2ab1

SHA256
71869534070b9679dfe699f27a0149d072af7b178b1a48d8335e552f00c36318

SHA512
d6eb9f96a9101820e4da67dabb53081c9b26eecb5ec71d2005608a713ee0834b5d57b4eee63d4aac42b650083eeecae1c085d7f41aeec7bc642ab2d633c5e41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HDSXQGQKIKXAYGT\service.exe

Filesize
520KB

MD5
e88e382fcd5667a300f44cadea671883

SHA1
3ec32d6e6b7dc4f682285a0675b384e4b96d1f5a

SHA256
d24f4739ce0ea8f2ebebc784a379a284cc1b05910ea7aac02f4ac932bce3cdaf

SHA512
8d7b04bffd9a21806cb1878edc83c1c61c08bcd4abfc76e9eaa3cd7a0416c82774ecddd45248b1fcef8b8202435f9f18803d11e87b17ade93af1ba3e7ff92176

Download Submit
C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe

Filesize
520KB

MD5
143b8c7071b7798e1d0113bac3a8c24c

SHA1
bc7844cabb8428547923316617393b5e8d3f1373

SHA256
da447255cad39e70902607552bcaf6d094acb424fc2f498fbbac0246dfb0c1fd

SHA512
b613890c9f36c6f9ccdebda103d1d59d5ac00458136c5d8966506e56ddab74bb430f63373e0bd81bf855050931c30bbec9c7f2045588cf4d4b5c0a52d1074f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe

Filesize
520KB

MD5
d6424150217f7c957bec98879b00ca41

SHA1
f35c0dc9be748233c51cc338cbe9ec9daaadfb6a

SHA256
34e60b68d45d6a952d605fa0125702a515d767acb77335a34e93311b30fd978a

SHA512
3df8ae30e357c27d793519d080041ab14be6dfc90e2ace55f310c44b140f3a1cbeacbed4cd07260e9e5a07c22a8549a40aa5da111d53cb2556af9c6449f850ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe

Filesize
520KB

MD5
c1997d14bfe6d052a5ad06475f7458b6

SHA1
c4f711d366f46baf63dcbc8a445ecc36dd012d94

SHA256
6025dd01fc7bef62e9978dd7a95cd26dc8ac8bc2a7f05f004b6cb73a20c6dc5f

SHA512
0f9151fac75e0efd33898fbe4967b162bb9f04f069011cae6cf7704c8c86ec9e44076b8e2e2fa7a88e9c85d0f0a4062649066de19e9d8de26b1728b3b5bca9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAHC\service.exe

Filesize
520KB

MD5
adaddacb9fdc0d1868151470b9eb0e98

SHA1
e6925017dd6997761171c4f1c26f62a03bf23971

SHA256
b2c0efa0db2d3f5c6562831b7a8f173b80e8a031a6a7d050e312b41db1229220

SHA512
dda67427f0cb53cb3ad62a5fe6ec90e59ed0f7c295908f11b1636524deaa256c59f2631453ff985d05fb2fa81cd017113467541672e2d505e38145d3d8f67692

Download Submit
C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe

Filesize
520KB

MD5
f718d521eb7faa23cc7f8fe9666181c8

SHA1
73d4b3099cc7c60cca55e6e9a12fefcfa2c02b4b

SHA256
27e861a27c992568c3a635ddb856aa2adc49b05b895ded59ae893699fe69fc2e

SHA512
67e17f0e7cfbb19b2c954001ae3320ac7490622e49a65eb0292c0b9e221e4f35be0dd307406da91d581db28f82f16669c34a3e2a75d2d2ea2b9851af4a973b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSHBYGQGLDULKAU\service.exe

Filesize
520KB

MD5
cb444897623baa5b230638629fc680c3

SHA1
98c8686e6a9c2f82f5cdae7980b1ae2e7c107ec9

SHA256
2de0db92de181a3ef0e344427127ba32cb737f1498d697a01eb0f99a84c391e9

SHA512
bbec54793f9791ea93480072876f3e2d51ae03741c1ac6b52007f414588a66beb80d42e4b9ef38e01cb33efe44857f2e98e6516c72df06ce7a744b3ab219d672

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe

Filesize
520KB

MD5
fda058b966d3e6f5a183a17ea8da0314

SHA1
385e6303cb1361af358f6c0f60cd575b350c11e1

SHA256
3824c609bc6e5f110a251e770402b90295d18d6d2549de138902382b0eb9aa78

SHA512
5d4896f6bd7a1cabad88bd666b2571195e34284b75a515e602136139c00a91388419559a51f8eba9152303127c7e0091f7670278f559b7aa668293e19a44598e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKKSGFGCAHCXSGN\service.exe

Filesize
520KB

MD5
d86e2054edcceb19efd2b6c9605d6495

SHA1
85c69e5144b160a14df6ed68153744af97e02a9c

SHA256
9f5a9272d74d2065222ac69f620564e00f215c6e185deeab4d9a677cce921338

SHA512
9bfe041dd5fd925158a643ac4797940c7af9c2b1f1090f7b8a1bff8ec8912f91f4a4405194968402d82dfaec7b459e3f97ea4f4e93d6f29bfe11640b004cd9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXPDND\service.exe

Filesize
520KB

MD5
6fd4a929df043d361d30191a2c870376

SHA1
582077cc2da1166dfda9a2b1ba48bb42b9ffbcfb

SHA256
3fcc0f6fe1437e169265e0bb1b29720bdf3fd645692a931cb6a1c09d76df1c6c

SHA512
f35c298c76aff4bd0848d6b1a4a4be94e304229da24b726dd7c752c1d8226508dcd647c98d11e79ed6ccbbd95ee9d3a90b4d26287486994dc7d84dffe56b773a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe

Filesize
520KB

MD5
485f8599c4b1d7799001a87b91106249

SHA1
227ec39de7ec869ca2946e42049fc03e34b5a19c

SHA256
d25d5ebcc2767a7932836f6ad3315443aa421499212d1d6f7b1dd878040961ef

SHA512
d1f9329fb6afea4d2790094aa73fbec68fedabc9d61c7762e5c230967a1fb958207a446e3bef4d9245cb7ea0561a465728fd031cd4faed22e6b79e790da8f63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSCONOKIPKAOVEP\service.exe

Filesize
520KB

MD5
7ae2f12e835c3d10f481e076f5de4e04

SHA1
16a15c0133181762baa92771b4e00ab440eb8006

SHA256
bfb5d5c3a571118259b468fcdc369a0f9978dc91c98abeefdd707273ab37d685

SHA512
00bfd51e0e5e0954c75f5a842d12b17dede186ddb7310c6f6219783e7136e44017a970223326125e5037687c1cdafefde70b8d816dd2d849db19c7cddcdc0266

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe

Filesize
520KB

MD5
feebb90427a3d35c82fb0d1af7d50f2b

SHA1
db787b419f0dae73dceabcac52032ae3904bd62d

SHA256
5b5bcd6c6e85017596be2d87fedb1d7b644233253e959815322d8d7009274025

SHA512
114741ce22e4a1f656b811b206496e57ea4b3a1f759f55b76ce4513265e0eb04b3c7144fd250f53db908c80cc0c80581f9ab52e2fc29b2d6c94554c889b3d178

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe

Filesize
520KB

MD5
12f43cdfce2b61c4e21a2ad6db11001e

SHA1
ecc45d4618e635c9432296312b6920b2ff443970

SHA256
aa1c08ef9152158fbe81a5817fd0f79c76597ab2921e8872348dd35b664106b4

SHA512
f11ee69264b7e26d2f6d217505748df85cce6c311f9a329d4a7bdd37f005fdceb821dcbdce9dcf8c5fd1001c67f2720aa3068437d57ef61575d63e1c0b62d75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe

Filesize
520KB

MD5
d1144f1ad30569b515a9e404c9d0be96

SHA1
4d7ae181825179a47796c6883d23d79ae3a1edce

SHA256
fd14b0b32dc60141de548fa28f8c7d10cf4f1ab627fd9af25ee61fa6c6833ded

SHA512
5dbb91652c2cae3db3e02ae8b538e2b617befba6e7a283751bce1dab0958abbd8f5a9ee4518edaff86fbc133dd00dc2c4e540bc9f1d960668c9937a4f9ce2578

Download Submit
memory/4776-666-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4776-667-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4776-672-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4776-673-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4776-675-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4776-676-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4776-677-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4776-679-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4776-680-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4776-681-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4776-683-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4776-684-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads