blackshades | 2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe
Size

520KB
MD5

87c6602ec971cbf7d11c460fdb1a8cfc
SHA1

69fd69bee8a85ee0c7742fefed29eaa17ee020bd
SHA256

2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32
SHA512

aa1b3b51880870bfe2597a594e03974848ca5e826a2e6e5ee256ddcd15d0fbc6b28442b6bc8bb113ed28a7f412d303bdcedc54e49d9c15efb037687a43a8281f
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXX:zW6ncoyqOp6IsTl/mXX

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 14 IoCs

resource	yara_rule
behavioral2/memory/2552-353-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2552-355-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2552-360-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2552-361-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2552-363-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2552-364-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2552-365-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2552-367-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2552-368-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2552-369-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2552-371-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2552-372-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2552-373-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2552-375-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLVDYOSXEFCKDHW\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 14 IoCs

pid	Process
4692	service.exe
1724	service.exe
1184	service.exe
1452	service.exe
4728	service.exe
4160	service.exe
1384	service.exe
3876	service.exe
1624	service.exe
3976	service.exe
1324	service.exe
2180	service.exe
4640	service.exe
2552	service.exe

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IMSFCRQEFABWREL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSRTOMTPESAI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DNSLBBDFTBPOAID = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EOXFCQUGHENFKYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BFAITVQORGUCKBW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRUXWYKOTABGES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WJLGEHWKRAMQBNV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLVDYOSXEFCKDHW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAJASKGBRKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DVNTMCMFEGXTTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IMJJURPTOWKMELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHCXSGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CEYUPDYKFJXGRYO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESOQUSVGLQDAPXP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GBQVOEEGBIWESRD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVUWIMRECQYQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SXTHTEDHYVWIOVW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXBEUQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SAONHQYIEPJKTWX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NFVEMBABWCSNAIC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KLIQDJOBEPRMKNC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYAHQGLDULKA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TGKGEUSJJLGCDMI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYTCWYMRWCDAJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BPKIXNANPKDGIRN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPCAOWO\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4640 set thread context of 2552	4640	service.exe	152

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4264	reg.exe
212	reg.exe
32	reg.exe
4468	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2552	service.exe
Token: SeCreateTokenPrivilege	2552	service.exe
Token: SeAssignPrimaryTokenPrivilege	2552	service.exe
Token: SeLockMemoryPrivilege	2552	service.exe
Token: SeIncreaseQuotaPrivilege	2552	service.exe
Token: SeMachineAccountPrivilege	2552	service.exe
Token: SeTcbPrivilege	2552	service.exe
Token: SeSecurityPrivilege	2552	service.exe
Token: SeTakeOwnershipPrivilege	2552	service.exe
Token: SeLoadDriverPrivilege	2552	service.exe
Token: SeSystemProfilePrivilege	2552	service.exe
Token: SeSystemtimePrivilege	2552	service.exe
Token: SeProfSingleProcessPrivilege	2552	service.exe
Token: SeIncBasePriorityPrivilege	2552	service.exe
Token: SeCreatePagefilePrivilege	2552	service.exe
Token: SeCreatePermanentPrivilege	2552	service.exe
Token: SeBackupPrivilege	2552	service.exe
Token: SeRestorePrivilege	2552	service.exe
Token: SeShutdownPrivilege	2552	service.exe
Token: SeDebugPrivilege	2552	service.exe
Token: SeAuditPrivilege	2552	service.exe
Token: SeSystemEnvironmentPrivilege	2552	service.exe
Token: SeChangeNotifyPrivilege	2552	service.exe
Token: SeRemoteShutdownPrivilege	2552	service.exe
Token: SeUndockPrivilege	2552	service.exe
Token: SeSyncAgentPrivilege	2552	service.exe
Token: SeEnableDelegationPrivilege	2552	service.exe
Token: SeManageVolumePrivilege	2552	service.exe
Token: SeImpersonatePrivilege	2552	service.exe
Token: SeCreateGlobalPrivilege	2552	service.exe
Token: 31	2552	service.exe
Token: 32	2552	service.exe
Token: 33	2552	service.exe
Token: 34	2552	service.exe
Token: 35	2552	service.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
5016	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe
4692	service.exe
1724	service.exe
1184	service.exe
1452	service.exe
4728	service.exe
4160	service.exe
1384	service.exe
3876	service.exe
1624	service.exe
3976	service.exe
1324	service.exe
2180	service.exe
4640	service.exe
2552	service.exe
2552	service.exe
2552	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 3828	5016	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe	90
PID 5016 wrote to memory of 3828	5016	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe	90
PID 5016 wrote to memory of 3828	5016	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe	90
PID 3828 wrote to memory of 4336	3828	cmd.exe	92
PID 3828 wrote to memory of 4336	3828	cmd.exe	92
PID 3828 wrote to memory of 4336	3828	cmd.exe	92
PID 5016 wrote to memory of 4692	5016	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe	93
PID 5016 wrote to memory of 4692	5016	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe	93
PID 5016 wrote to memory of 4692	5016	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe	93
PID 4692 wrote to memory of 4616	4692	service.exe	94
PID 4692 wrote to memory of 4616	4692	service.exe	94
PID 4692 wrote to memory of 4616	4692	service.exe	94
PID 4616 wrote to memory of 3624	4616	cmd.exe	96
PID 4616 wrote to memory of 3624	4616	cmd.exe	96
PID 4616 wrote to memory of 3624	4616	cmd.exe	96
PID 4692 wrote to memory of 1724	4692	service.exe	99
PID 4692 wrote to memory of 1724	4692	service.exe	99
PID 4692 wrote to memory of 1724	4692	service.exe	99
PID 1724 wrote to memory of 4020	1724	service.exe	103
PID 1724 wrote to memory of 4020	1724	service.exe	103
PID 1724 wrote to memory of 4020	1724	service.exe	103
PID 4020 wrote to memory of 2180	4020	cmd.exe	105
PID 4020 wrote to memory of 2180	4020	cmd.exe	105
PID 4020 wrote to memory of 2180	4020	cmd.exe	105
PID 1724 wrote to memory of 1184	1724	service.exe	108
PID 1724 wrote to memory of 1184	1724	service.exe	108
PID 1724 wrote to memory of 1184	1724	service.exe	108
PID 1184 wrote to memory of 1816	1184	service.exe	109
PID 1184 wrote to memory of 1816	1184	service.exe	109
PID 1184 wrote to memory of 1816	1184	service.exe	109
PID 1816 wrote to memory of 4340	1816	cmd.exe	111
PID 1816 wrote to memory of 4340	1816	cmd.exe	111
PID 1816 wrote to memory of 4340	1816	cmd.exe	111
PID 1184 wrote to memory of 1452	1184	service.exe	112
PID 1184 wrote to memory of 1452	1184	service.exe	112
PID 1184 wrote to memory of 1452	1184	service.exe	112
PID 1452 wrote to memory of 4576	1452	service.exe	113
PID 1452 wrote to memory of 4576	1452	service.exe	113
PID 1452 wrote to memory of 4576	1452	service.exe	113
PID 4576 wrote to memory of 4124	4576	cmd.exe	116
PID 4576 wrote to memory of 4124	4576	cmd.exe	116
PID 4576 wrote to memory of 4124	4576	cmd.exe	116
PID 1452 wrote to memory of 4728	1452	service.exe	117
PID 1452 wrote to memory of 4728	1452	service.exe	117
PID 1452 wrote to memory of 4728	1452	service.exe	117
PID 4728 wrote to memory of 1404	4728	service.exe	118
PID 4728 wrote to memory of 1404	4728	service.exe	118
PID 4728 wrote to memory of 1404	4728	service.exe	118
PID 1404 wrote to memory of 964	1404	cmd.exe	120
PID 1404 wrote to memory of 964	1404	cmd.exe	120
PID 1404 wrote to memory of 964	1404	cmd.exe	120
PID 4728 wrote to memory of 4160	4728	service.exe	121
PID 4728 wrote to memory of 4160	4728	service.exe	121
PID 4728 wrote to memory of 4160	4728	service.exe	121
PID 4160 wrote to memory of 2648	4160	service.exe	124
PID 4160 wrote to memory of 2648	4160	service.exe	124
PID 4160 wrote to memory of 2648	4160	service.exe	124
PID 2648 wrote to memory of 3296	2648	cmd.exe	126
PID 2648 wrote to memory of 3296	2648	cmd.exe	126
PID 2648 wrote to memory of 3296	2648	cmd.exe	126
PID 4160 wrote to memory of 1384	4160	service.exe	127
PID 4160 wrote to memory of 1384	4160	service.exe	127
PID 4160 wrote to memory of 1384	4160	service.exe	127
PID 1384 wrote to memory of 3008	1384	service.exe	128

C:\Users\Admin\AppData\Local\Temp\2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe
"C:\Users\Admin\AppData\Local\Temp\2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAMULF.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BPKIXNANPKDGIRN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4336
- C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe
  "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAJASKGBRKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DVNTMCMFEGXTTBP\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3624
- - C:\Users\Admin\AppData\Local\Temp\DVNTMCMFEGXTTBP\service.exe
    "C:\Users\Admin\AppData\Local\Temp\DVNTMCMFEGXTTBP\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4020
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IMJJURPTOWKMELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe
      "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGLYIT.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1816
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IMSFCRQEFABWREL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4340
    - - C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1452
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMQLTH.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CEYUPDYKFJXGRYO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4124
      - C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRXJFP.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DNSLBBDFTBPOAID" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLCGUM.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GBQVOEEGBIWESRD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRECQYQ\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRECQYQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRECQYQ\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHBPXK.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXTHTEDHYVWIOVW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJKHQC.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SAONHQYIEPJKTWX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQXGSW.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KLIQDJOBEPRMKNC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWVHPH.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TGKGEUSJJLGCDMI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLXIHL.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BFAITVQORGUCKBW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBTXSO.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WJLGEHWKRAMQBNV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        17⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe:*:Enabled:Windows Messanger" /f
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe:*:Enabled:Windows Messanger" /f
        17⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        17⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        17⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAMULF.txt

Filesize
163B

MD5
0f7c1e17e9620ad98897be9587a371ee

SHA1
f672dfc16ab391351abd524d9c0990b06f085397

SHA256
04711b0f6326e5a0069f86f242ca61ff85f6950f63b237c31aaca593beb0bd3b

SHA512
e24f70cd02a0495a8473613fa9ca28fb7e7d39cfc1e7beae17402bf2ba28605525ae0cce9f07f3fc5f9e83d9d708044dbc2168435b281ddb265879b12288816e

Download Submit
C:\Users\Admin\AppData\Local\TempBTXSO.txt

Filesize
163B

MD5
ee43c5410ff083f25fe89002fbc791e3

SHA1
d6326230df59d77df3a85811dba022b53d798167

SHA256
7d62d099d0f41de498f140ec5675d421e9d416f2304ba756a809064125641b3b

SHA512
558661a6298c381c12b30a21dba3f87126bdbd37575ee076a70752a5e18e196fb5db5fcc136802c6e588baed6e017bfdf060f045c825d73a4dd0ff9b4fbb619b

Download Submit
C:\Users\Admin\AppData\Local\TempGLYIT.txt

Filesize
163B

MD5
0d7af1a76874301c4d898151b07ee7ec

SHA1
23d0dc22e89fcf18fb07778ab81160226043ce38

SHA256
c17ca94435b08a7dcee7be720efe9973d8a672fa0f81a9e1cc6fbeadb8c0ed40

SHA512
d2ad96704bb07b6652275018a4ead46636d74463b368d9ebdc172c72e66e4563baddc39c2a8299e75bfa6dde1c6f05a7ece01a0b48d0d65afc6f10aea0f3f9da

Download Submit
C:\Users\Admin\AppData\Local\TempHBPXK.txt

Filesize
163B

MD5
f1481b8fa45d4b1929a4058fd59dbb41

SHA1
49027aca55f9d7cfb5670b5683e29d6806efa1e5

SHA256
1d596ba5e82e465fd36dd4a7ff98c9ceb654869ce036fc944c419c247c8c459a

SHA512
2bda228945d30fb2f849b23b9e8a77f8a280990084bc0601531b35addab59bef13cd87c0adb2242110aaad3b94a0f23f50f8ee8c2b9bfcbbe665bb1194f4b495

Download Submit
C:\Users\Admin\AppData\Local\TempJKHQC.txt

Filesize
163B

MD5
72bad3686e58a9db76667f3fec098a38

SHA1
4de75b91d521b8f9c4382503744b7671fe4b2760

SHA256
089a70f13d8fee0f134f389e1656acaf64fa3a932fc29828e698a812989a0bba

SHA512
63c7f6ae8cbcdc814689069fe052ff1e01d577b4231deacbb2ab3fe93caba950a727b50784e63cad26151b79504954e3d00fc38e87cc3905c8ba62a318ab2274

Download Submit
C:\Users\Admin\AppData\Local\TempLCGUM.txt

Filesize
163B

MD5
0361de72f3892c7308604e4dee014474

SHA1
010946ca0911029923ade0e4a61e62e3e2532bcb

SHA256
5e9fb33c7c1b11c838a84fae1e843badabbc5137e9aab49f7f33fc0816129e65

SHA512
4d2f5e388282e96d16058401a74e71e8562b125e4a0f156ff7de61c54ea14a749123bf0686e79b8ec93428f04de0d34e4476f16dacf5084e404b52d4310cf125

Download Submit
C:\Users\Admin\AppData\Local\TempLIRDJ.txt

Filesize
163B

MD5
9fb89caec6f093f5b98a120aa434a6e6

SHA1
7ac90bdec43895a090525864e7e03191b1e9862b

SHA256
0487f19665acc64817da8d7c6566bc0f2e05de4fe3dda344f2da61e9fbf6680e

SHA512
1959f45c5cae5618a7dd50a2a1417022db08067257cf996b8f80711c2d1a2efee2a733b175708eb9508d930032b37379190877f864ac36c325a32cee0d06d2f5

Download Submit
C:\Users\Admin\AppData\Local\TempLXIHL.txt

Filesize
163B

MD5
c3fe75edd2e9d7000200683d1f00a40f

SHA1
df0e967a33236234a09243c27ddf2dd22410ab27

SHA256
f1e7125715ff5815438ddae3ace41fae879c42f1c431ee21c2ce1b11d8f6945d

SHA512
62c0b6f0536af8b6078376a533a5b6564863bad34536e98d3439a4529526f8e7b74c534f61a5ecce9e5c210edacc0d0b6f460c0291a00e21d6fbe9a3789f799e

Download Submit
C:\Users\Admin\AppData\Local\TempMQLTH.txt

Filesize
163B

MD5
f119d8ad65c239bd173007ef82ceac5a

SHA1
3ed6d4172b48a55a13ec4e490b34ca3e8f12e4b2

SHA256
a9754d14ba5287ab80082e574cc32ab4712812c64761d1ed654c5b9a5190ea3a

SHA512
d069025c6762b187455d1c95bf7466661b366fd835b1904a48cf08d7e3aa26c521c2e833133e21ef96d268a081dfa52373583d8644ce3dbdffb061f8b60f2797

Download Submit
C:\Users\Admin\AppData\Local\TempQXGSW.txt

Filesize
163B

MD5
5f6be1b679857d7f83439ca8abc8438b

SHA1
7deb01ee8e2b7aa577aebdb1bbb9e7848fe7641d

SHA256
97e88549692c2dfa0ba06f88c9624a71518354420ab38565e7df25fca6ef5394

SHA512
3cfbe26f5d919d53c4c989f539357ae1dd93ba621f41340826291825fbe17ddc04cdebb4bed54996b5a522b7960ddfdf418af4012a315b1d94fde7946f4f2b5a

Download Submit
C:\Users\Admin\AppData\Local\TempRXJFP.txt

Filesize
163B

MD5
b251d1c292df52ca56e60a2f1cd90cfb

SHA1
22f27eb114e38b870a8ddacc4ee64e25b61fd3af

SHA256
7571310083175a6a802b1994dbe05f3f885920a07efab2c17feff217df40c5e6

SHA512
7007f602c4733f0216e02478051826bba6df876bc466a34d9d36ff682e8552346e1d1ac7ca4734a784b268b744efabc1cad83ed8ed2d5cfcb33d54ffdc2006d7

Download Submit
C:\Users\Admin\AppData\Local\TempUQYPE.txt

Filesize
163B

MD5
5a4384ad153eee40e71481f1b84e2979

SHA1
c4f6eaf1a1a7e034ead8fb98d9f946ae66547733

SHA256
e24020f861db2b12a14f5de1030b174886ce889fe47e68fa46f555d2484ec935

SHA512
68a15ebf11eb0c7e315606916b9e3420d6bdeeb4cb0ec9b822fa629bd0ecbbba379c81b966ce5c686f7d47b51dc9d1752faf4ded1fb3c3b3ec11aba06258cf09

Download Submit
C:\Users\Admin\AppData\Local\TempWVHPH.txt

Filesize
163B

MD5
6d8fcfa3227ed358730db016f79487b2

SHA1
e8f3938763e1a307991960ca9c7a42324d8ca432

SHA256
b61a9f0c87b77d70474494dce157438ae79b845981c09a3094765b37a1b471df

SHA512
45df6e96ec710c557705feeae0120a3ef56fab922593fe77442008afba5c7068fec7d8c4e83956413a52d6fd32bf06b529de2b06e2c326e4122bb812a2406603

Download Submit
C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe

Filesize
520KB

MD5
7acdac5afeec7e3618829a91247b2e04

SHA1
7b0e56db77de42cc9081a65780caaaf6bd93d07f

SHA256
b147b89ab13f734407a485dae4c11e4785ba54079221a3c7f3a7db3b3eb41168

SHA512
957aaba984831bf3fc7d65961f07fecae52abd2c39b0e9506500d5f4086d6143f1241ea8c7fecbab13a2fbf2bf52459ef661c3e45bad4a9d7fb334cd66083b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe

Filesize
520KB

MD5
9d4520236a12daa96c91dd8e18522a2e

SHA1
0ceb247a43f4a892a99e4113d13e077a2bd39198

SHA256
28d25e48b065c0569f5e3d6ca66ce45d9086a0d78e5601b5afc92e12a12da1a1

SHA512
a687167c54cd020c571ac61b009416916a525374218d6c5f1aff76bdf0bdb34266c4e59187922465c97ca5a32c57ddc3fc23b6a8a58dca5f8198c6b7b6027762

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.txt

Filesize
520KB

MD5
2181779dc15097281fb1849f8142634b

SHA1
716e39a93677e6bcdf48f70f4e34e5e518e8226c

SHA256
9df15bf05daed4df6290499afd02439fd2c6ba604f1f44360783652bd7ec437c

SHA512
c0c33606dd35608810b47ebdf1132f796b9838462f6d7bd83a85435cbbfb509527e5a38439113d876e0341070cd4cdf29715b030eb8bebda0c49d908590c6e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\DVNTMCMFEGXTTBP\service.exe

Filesize
520KB

MD5
46ee027c7fffc19e69c964479f942497

SHA1
20d70ee05e3a47b0b4e4e303ad9c19ba394036b8

SHA256
0564a5cee9eaa80803bab5d96756836ede428bd7b5c94ee8f145ea84cf9366ca

SHA512
1ab46f756a7a735d324561ed4d933426884020743f7099a706d474762c80869a1c3db41e0a8983b464ec63a2d5289639f8c0e416dd3765b97b101c8018aaab35

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe

Filesize
520KB

MD5
328be13923e36d375b0c1a5163a523fa

SHA1
72952853e33d65a392fcc6fa5ba0b180b6967856

SHA256
0575322f7e380204d22f6d818c1b4bba9e1466b7c5d677f829b2a49df530d14e

SHA512
cc529d6b0fb0ba5bcb3d411d840a510f9776dd7abc5e7b207a9a8114928ef80b7d5ab58c054bdfba6e38c2d06281ac651d2365c69983b29fa68cfdc4659c28f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe

Filesize
520KB

MD5
cdf57149f2a8429ccab5afcfb382a4c2

SHA1
ed79e635bd4a4c19bfe5b0847536af21edeb2c93

SHA256
6bb1921d2ce72420f7966ddf47dce69fae9831f1869dba2fa2159afd1aa283ea

SHA512
92e6df4f57321317cd1d3c42e9a1da17bc88789b9b350699c0cb92b1079470adc5bbfd8625c763ff776332e4ba54c669517799b4ff36aa93c4de5d9065ebd07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRECQYQ\service.exe

Filesize
520KB

MD5
f01575c3d1e655e09e0e0f99a2c77abd

SHA1
8291fbc0564a88bcfceac73f2d307f30c0cfd36e

SHA256
a619b18efdcda1f8df148f2721c9f1d2bed0d616f057317c42a103bf15c218d3

SHA512
df21c11125cbd207567c7d63e7074a0afada47e4f0552f25e947667ce00ffea39548baf853d5e5878ab97fe3640fd44a67be727c75f19ee40ebdbf28049e486e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe

Filesize
520KB

MD5
4ccda052508932f7bed31fd9dfb61156

SHA1
4b5be5c647b98dbbf0a3d2f6375b8c2c9db72f50

SHA256
64ed18d0fd99a80f05d01e5f3182ed6e6f5386ef7a9615e2954a21a4d4652173

SHA512
cd28272a741b52ff16b0a4f6eb572f9f56e05e24b4122e93cb57d64a5900ea674425dd19b7aa6a21608100f74ed612374339b52dfbf3c15120bafd472548e310

Download Submit
C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe

Filesize
520KB

MD5
24240d244afd31f414bdf77ba89530ef

SHA1
8126f084af1e6699923f4a94f4940678f5a63f91

SHA256
947bbb57fa9ed7b20843193d35f33ab88dcd41b71da12612c550f74687698255

SHA512
c034d8cdc7826e8b27237647720311fbf1344d94f1a41b9827cfc7d93c684f3d30d8c142aeb2104553f5dd75dd73dc2588cb6bba15242ba05ab15cc0a318a197

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe

Filesize
520KB

MD5
d8f6041052396e4645485976fd9f3ef0

SHA1
306f8ab820cad86d12bc893efbc747ee5f863178

SHA256
15ffb3af12e031b4bf979bc0e6737491fec75defa9410b7edf600c456e3dc478

SHA512
6de93e25904884382923892fa4e2c5b24f1791b913a12f956a090ef02d207dcc5165d5d8f46b325f958512dc348ba10c296112094837f0f7fc0b658e77d33700

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe

Filesize
520KB

MD5
7f3d21b1add4a5a767de5f72b853be77

SHA1
3fe8a0e74392305d326716324f70ae14a411076b

SHA256
95edd9344eb08d3ca6c35345bead6a7efaf52d23192070e7ce1ab228335c4513

SHA512
a4d1c2ea878812df9eb8977cba4dabb9cb23e7150cb5bd5415aece01f7adfa5e515a59bba4ac7312bc3514ba5cda00f3bfd6478fc92eaba3ba10cf412bee8add

Download Submit
C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe

Filesize
520KB

MD5
914cae7bc2455b24d6025782cc43ad0e

SHA1
b82058c130da7772b86d7f54c3690c38ff7cdbd7

SHA256
b2d5b99144dd7e93dafa47a48878d81afe3d2b1898eccbe950ca6e66416e55cc

SHA512
26914f5dc4a7c12a47838d778c44d839ecc4ecfb713bad9f702680bc13d80691cf61f4a2be53f017d8b8cad7eeccef2e6d373ee64986ca53c01dc466b818174a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe

Filesize
520KB

MD5
42ac318239031066c900295646a55a15

SHA1
684e72b1bb0c76b0f092b5974987b5bccbb17a17

SHA256
6ba4c02c28e0f00b376ca91b8633a3a2051461f3c44d49492f751ff74653e402

SHA512
1650379c2fdaf33dc605b2be6877e81b4062cc30d214560e0826cfd211bd85543ad6830f3138e56e58fa2ddee923dcabdc4fa34e2fedf7d100b0e0f9536e5032

Download Submit
memory/2552-364-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2552-367-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2552-360-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2552-361-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2552-363-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2552-353-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2552-365-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2552-355-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2552-368-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2552-369-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2552-371-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2552-372-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2552-373-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2552-375-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads