cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250be

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe
Size

520KB
MD5

4f145030e1545cc01bfa347441a5b5f0
SHA1

23be52f419d0c0952d6badd58494a0bbd70fbeea
SHA256

cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250be
SHA512

c08aa11f69d58d9555c5f1fddcecd8a79a0e9286d7d8247a82db0e124c56d927f2e759cd553f2a85a78c2ad3a81f18dd88c4875b3271bf90c8baac9a3fe606c2
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXt:zW6ncoyqOp6IsTl/mXt

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GTPSWUXIMSFCRQE\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 45 IoCs

pid	Process
2712	service.exe
2912	service.exe
1704	service.exe
1712	service.exe
2992	service.exe
1876	service.exe
1812	service.exe
1048	service.exe
2732	service.exe
292	service.exe
788	service.exe
2792	service.exe
1924	service.exe
2500	service.exe
2012	service.exe
352	service.exe
2272	service.exe
2944	service.exe
2580	service.exe
2640	service.exe
1632	service.exe
2600	service.exe
2520	service.exe
620	service.exe
1644	service.exe
2284	service.exe
1840	service.exe
2832	service.exe
2396	service.exe
2616	service.exe
580	service.exe
2964	service.exe
1108	service.exe
2096	service.exe
2296	service.exe
1824	service.exe
1372	service.exe
860	service.exe
2112	service.exe
1716	service.exe
1564	service.exe
2100	service.exe
2508	service.exe
1976	service.exe
2096	service.exe

Loads dropped DLL 64 IoCs

pid	Process
2668	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe
2668	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe
2712	service.exe
2712	service.exe
2912	service.exe
2912	service.exe
1704	service.exe
1704	service.exe
1712	service.exe
1712	service.exe
2992	service.exe
2992	service.exe
1876	service.exe
1876	service.exe
1812	service.exe
1812	service.exe
1048	service.exe
1048	service.exe
2732	service.exe
2732	service.exe
292	service.exe
292	service.exe
788	service.exe
788	service.exe
2792	service.exe
2792	service.exe
1924	service.exe
1924	service.exe
2500	service.exe
2500	service.exe
2012	service.exe
2012	service.exe
352	service.exe
352	service.exe
2272	service.exe
2272	service.exe
2944	service.exe
2944	service.exe
2580	service.exe
2580	service.exe
2640	service.exe
2640	service.exe
1632	service.exe
1632	service.exe
2600	service.exe
2600	service.exe
2520	service.exe
2520	service.exe
620	service.exe
620	service.exe
1644	service.exe
1644	service.exe
2284	service.exe
2284	service.exe
1840	service.exe
1840	service.exe
2832	service.exe
2832	service.exe
2396	service.exe
2396	service.exe
2616	service.exe
2616	service.exe
580	service.exe
580	service.exe

Adds Run key to start application 2 TTPs 45 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\SGHCBDYTGOINKVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IVRAUYWKOUABHET\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\JIVCLVTDXKDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHMTFFTYAQYMXN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MTXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTPKFEUVSBB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNTYKIMHPDEXVEE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LDTCKUQLFAFUVSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\JXENWUFBMFGWPST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMDVNJEXNOLUGMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFNFWOKFVOAPPQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQGRKILXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDDFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWEMDX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\EINAMUMABVSMAWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YEXHTTUPNUQFTBJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HRNIYRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUTJTMLNDIWVHQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HNSECGBJUVRPRHU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORGAXGPFKCTKJTR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\INJKVSQUPXLMFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TLKSGGHCBHDYTGO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\OKLWTRVQYMNAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTHHIDCIEUHOJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVSRVJMIGWVLLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQGMDULAK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\DKOACFQRNLNDRYH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPBJBTKHCRLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMDNGFHXUUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\CAEHSTPNPFSAJAU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWMNKTFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\AWVMCQMKYPBPRMF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKPHYPDOE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\INJJVSPTOWLMELM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGGHCAHDYSGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\SGHDBDYTGOINKVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWRAUYWKPUABHET\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\FERHVROTGTVAQJN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDIPBBPUMUISJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\YAKQXXJBDQMLGBW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GTPSWUXIMSFCRQE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWKLHFHXKSBMRBO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMVEAYOTYEFCLDI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\EBFAIUVQORGUCLC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEWNKEYOPMVHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\OABEQRMKNCQXHSX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIASJGBUYKLIRDJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQUHLHFVTJJLGDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORGAYXFPFKCTKJT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ECGBJUWRPSHVDLC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAPQNVIOT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\TPDQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQBYNMNIHNJMUDO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\TCCOULJNIPEFXWE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LEUDLAVARMGBGVW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\TTGIDBDYTHOJNKW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYXLPUBCHAE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\BVAWKXIHLYCMSKA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YFXHTTUPOUQGTBK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\DPQLJMBPWGRWGTE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IRIFATXJKHQCINA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\AUWKWHGKXYBLRYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEXHTSTPNUPFSAJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAIASJGAQKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWTTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQCKCTLHCSMNWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHGIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\CAEHSUPNPFTBJAV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWNOLTFMQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\OULIMHPEFXVEFYN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNHFMVLRIQFPFB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\IMJJVRPTOWKMELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHDXSGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HXXVEEPWMKOJRFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NFVEMBABWCSNAIC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\SGHCADYTGNINKVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IVRUXWYKOTABHES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAITUQOQGUBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGNR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\OFDOMKPCGBQVOEE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\PBJASKGBRKLUXKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JBRAISOJEDSTQAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPTGKGEUSJJLGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEKBSJIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJCWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGLTEESXPXLWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXIGKFNBDVTCCW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSOJEDTURAA\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2320	reg.exe
1736	reg.exe
3052	reg.exe
1868	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2096	service.exe
Token: SeCreateTokenPrivilege	2096	service.exe
Token: SeAssignPrimaryTokenPrivilege	2096	service.exe
Token: SeLockMemoryPrivilege	2096	service.exe
Token: SeIncreaseQuotaPrivilege	2096	service.exe
Token: SeMachineAccountPrivilege	2096	service.exe
Token: SeTcbPrivilege	2096	service.exe
Token: SeSecurityPrivilege	2096	service.exe
Token: SeTakeOwnershipPrivilege	2096	service.exe
Token: SeLoadDriverPrivilege	2096	service.exe
Token: SeSystemProfilePrivilege	2096	service.exe
Token: SeSystemtimePrivilege	2096	service.exe
Token: SeProfSingleProcessPrivilege	2096	service.exe
Token: SeIncBasePriorityPrivilege	2096	service.exe
Token: SeCreatePagefilePrivilege	2096	service.exe
Token: SeCreatePermanentPrivilege	2096	service.exe
Token: SeBackupPrivilege	2096	service.exe
Token: SeRestorePrivilege	2096	service.exe
Token: SeShutdownPrivilege	2096	service.exe
Token: SeDebugPrivilege	2096	service.exe
Token: SeAuditPrivilege	2096	service.exe
Token: SeSystemEnvironmentPrivilege	2096	service.exe
Token: SeChangeNotifyPrivilege	2096	service.exe
Token: SeRemoteShutdownPrivilege	2096	service.exe
Token: SeUndockPrivilege	2096	service.exe
Token: SeSyncAgentPrivilege	2096	service.exe
Token: SeEnableDelegationPrivilege	2096	service.exe
Token: SeManageVolumePrivilege	2096	service.exe
Token: SeImpersonatePrivilege	2096	service.exe
Token: SeCreateGlobalPrivilege	2096	service.exe
Token: 31	2096	service.exe
Token: 32	2096	service.exe
Token: 33	2096	service.exe
Token: 34	2096	service.exe
Token: 35	2096	service.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2668	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe
2712	service.exe
2912	service.exe
1704	service.exe
1712	service.exe
2992	service.exe
1876	service.exe
1812	service.exe
1048	service.exe
2732	service.exe
292	service.exe
788	service.exe
2792	service.exe
1924	service.exe
2500	service.exe
2012	service.exe
352	service.exe
2272	service.exe
2944	service.exe
2580	service.exe
2640	service.exe
1632	service.exe
2600	service.exe
2520	service.exe
620	service.exe
1644	service.exe
2284	service.exe
1840	service.exe
2832	service.exe
2396	service.exe
2616	service.exe
580	service.exe
2964	service.exe
1108	service.exe
2096	service.exe
2296	service.exe
1824	service.exe
2820	service.exe
860	service.exe
2112	service.exe
1716	service.exe
1564	service.exe
2100	service.exe
2508	service.exe
1976	service.exe
2096	service.exe
2096	service.exe
2096	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2816	2668	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe	30
PID 2668 wrote to memory of 2816	2668	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe	30
PID 2668 wrote to memory of 2816	2668	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe	30
PID 2668 wrote to memory of 2816	2668	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe	30
PID 2816 wrote to memory of 2820	2816	cmd.exe	32
PID 2816 wrote to memory of 2820	2816	cmd.exe	32
PID 2816 wrote to memory of 2820	2816	cmd.exe	32
PID 2816 wrote to memory of 2820	2816	cmd.exe	32
PID 2668 wrote to memory of 2712	2668	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe	33
PID 2668 wrote to memory of 2712	2668	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe	33
PID 2668 wrote to memory of 2712	2668	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe	33
PID 2668 wrote to memory of 2712	2668	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe	33
PID 2712 wrote to memory of 2208	2712	service.exe	34
PID 2712 wrote to memory of 2208	2712	service.exe	34
PID 2712 wrote to memory of 2208	2712	service.exe	34
PID 2712 wrote to memory of 2208	2712	service.exe	34
PID 2208 wrote to memory of 1672	2208	cmd.exe	36
PID 2208 wrote to memory of 1672	2208	cmd.exe	36
PID 2208 wrote to memory of 1672	2208	cmd.exe	36
PID 2208 wrote to memory of 1672	2208	cmd.exe	36
PID 2712 wrote to memory of 2912	2712	service.exe	37
PID 2712 wrote to memory of 2912	2712	service.exe	37
PID 2712 wrote to memory of 2912	2712	service.exe	37
PID 2712 wrote to memory of 2912	2712	service.exe	37
PID 2912 wrote to memory of 2420	2912	service.exe	38
PID 2912 wrote to memory of 2420	2912	service.exe	38
PID 2912 wrote to memory of 2420	2912	service.exe	38
PID 2912 wrote to memory of 2420	2912	service.exe	38
PID 2420 wrote to memory of 1440	2420	cmd.exe	40
PID 2420 wrote to memory of 1440	2420	cmd.exe	40
PID 2420 wrote to memory of 1440	2420	cmd.exe	40
PID 2420 wrote to memory of 1440	2420	cmd.exe	40
PID 2912 wrote to memory of 1704	2912	service.exe	41
PID 2912 wrote to memory of 1704	2912	service.exe	41
PID 2912 wrote to memory of 1704	2912	service.exe	41
PID 2912 wrote to memory of 1704	2912	service.exe	41
PID 1704 wrote to memory of 2876	1704	service.exe	42
PID 1704 wrote to memory of 2876	1704	service.exe	42
PID 1704 wrote to memory of 2876	1704	service.exe	42
PID 1704 wrote to memory of 2876	1704	service.exe	42
PID 2876 wrote to memory of 600	2876	cmd.exe	44
PID 2876 wrote to memory of 600	2876	cmd.exe	44
PID 2876 wrote to memory of 600	2876	cmd.exe	44
PID 2876 wrote to memory of 600	2876	cmd.exe	44
PID 1704 wrote to memory of 1712	1704	service.exe	45
PID 1704 wrote to memory of 1712	1704	service.exe	45
PID 1704 wrote to memory of 1712	1704	service.exe	45
PID 1704 wrote to memory of 1712	1704	service.exe	45
PID 1712 wrote to memory of 2408	1712	service.exe	46
PID 1712 wrote to memory of 2408	1712	service.exe	46
PID 1712 wrote to memory of 2408	1712	service.exe	46
PID 1712 wrote to memory of 2408	1712	service.exe	46
PID 2408 wrote to memory of 2976	2408	cmd.exe	48
PID 2408 wrote to memory of 2976	2408	cmd.exe	48
PID 2408 wrote to memory of 2976	2408	cmd.exe	48
PID 2408 wrote to memory of 2976	2408	cmd.exe	48
PID 1712 wrote to memory of 2992	1712	service.exe	49
PID 1712 wrote to memory of 2992	1712	service.exe	49
PID 1712 wrote to memory of 2992	1712	service.exe	49
PID 1712 wrote to memory of 2992	1712	service.exe	49
PID 2992 wrote to memory of 2400	2992	service.exe	50
PID 2992 wrote to memory of 2400	2992	service.exe	50
PID 2992 wrote to memory of 2400	2992	service.exe	50
PID 2992 wrote to memory of 2400	2992	service.exe	50

C:\Users\Admin\AppData\Local\Temp\cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe
"C:\Users\Admin\AppData\Local\Temp\cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempJSJGS.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OULIMHPEFXVEFYN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRIQFPFB\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2820
- C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRIQFPFB\service.exe
  "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRIQFPFB\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IMJJVRPTOWKMELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:1672
- - C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe
    "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2420
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXXVEEPWMKOJRFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe
      "C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQUPXL.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHCBDYTGOINKVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:600
    - - C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRSXEE.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JIVCLVTDXKDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2976
      - C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJACDR.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUWKWHGKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "
        8⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIASJGAQKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWRRGP.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKLWTRVQYMNAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQUPWL.bat" "
        10⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHCADYTGNINKVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIRDJO.bat" "
        11⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PBJASKGBRKLUXKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTQAL\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTQAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTQAL\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMIQHF.bat" "
        12⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MTXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFEUVSBB\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFEUVSBB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFEUVSBB\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKTFLQ.bat" "
        13⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCTLHCSMNWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
        14⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQUHLHFVTJJLGDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAYXFPFKCTKJT\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\ORGAYXFPFKCTKJT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGAYXFPFKCTKJT\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXNIRI.bat" "
        15⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNTYKIMHPDEXVEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LDTCKUQLFAFUVSB\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\LDTCKUQLFAFUVSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LDTCKUQLFAFUVSB\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBEFPK.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVSRVJMIGWVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSXIUF.bat" "
        17⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DKOACFQRNLNDRYH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFGDME.bat" "
        18⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXENWUFBMFGWPST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBTKHCRLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXAMYJ.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ECGBJUWRPSHVDLC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
        21⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJJLGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSDWWL.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "
        23⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWKLHFHXKSBMRBO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJWHGK.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSTPNPFSAJAU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "
        25⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSUPNPFTBJAV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe" /f
        26⤵
        Adds Run key to start application
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIJSOB.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AWVMCQMKYPBPRMF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFYOJS.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCCOULJNIPEFXWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe" /f
        28⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUQQFO.bat" "
        28⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INJJVSPTOWLMELM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYSGN\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYSGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYSGN\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHOSE.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNFWOKFVOAPPQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQUPXL.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHDBDYTGOINKVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSQUPX.bat" "
        31⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTGIDBDYTHOJNKW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAE\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAE\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
        32⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDDFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe" /f
        33⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMQRWD.bat" "
        33⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJCWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLTEESXPXLWMI\service.exe" /f
        34⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\TNGLTEESXPXLWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGLTEESXPXLWMI\service.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXCHWX.bat" "
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EINAMUMABVSMAWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempACESA.bat" "
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVAWKXIHLYCMSKA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUTJTMLNDIWVHQ\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\KGUTJTMLNDIWVHQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUTJTMLNDIWVHQ\service.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWALXJ.bat" "
        37⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EBFAIUVQORGUCLC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEWNKEYOPMVHNS\service.exe" /f
        38⤵
        Adds Run key to start application
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\EMEWNKEYOPMVHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMEWNKEYOPMVHNS\service.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCLCWA.bat" "
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HNSECGBJUVRPRHU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJTR\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJTR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJTR\service.exe"
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHUFDI.bat" "
        39⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OABEQRMKNCQXHSX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe" /f
        40⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe"
        39⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVQQFO.bat" "
        40⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INJKVSQUPXLMFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TLKSGGHCBHDYTGO\service.exe" /f
        41⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\TLKSGGHCBHDYTGO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TLKSGGHCBHDYTGO\service.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOXTAG.bat" "
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVROTGTVAQJN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUISJ\service.exe" /f
        42⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUISJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUISJ\service.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLHPGE.bat" "
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXIGKFNBDVTCCW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe" /f
        43⤵
        Adds Run key to start application
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCHYUU.bat" "
        43⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DPQLJMBPWGRWGTE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IRIFATXJKHQCINA\service.exe" /f
        44⤵
        Adds Run key to start application
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\IRIFATXJKHQCINA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IRIFATXJKHQCINA\service.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVLXIH.bat" "
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGUBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe" /f
        45⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe"
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGBIWE.bat" "
        45⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OFDOMKPCGBQVOEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe" /f
        46⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPVHDN.bat" "
        46⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YAKQXXJBDQMLGBW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe" /f
        47⤵
        Adds Run key to start application
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe"
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        49⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe:*:Enabled:Windows Messanger" /f
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe:*:Enabled:Windows Messanger" /f
        49⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        48⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        49⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        48⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        49⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempACESA.bat

Filesize
163B

MD5
7e5351f62d5874fb314980eab2ff50f1

SHA1
90a78dd0d008ca94767e7a78e4823d8b1b265580

SHA256
07e4e0ec8b8efd732a90b91b2e08ab15463b9f9123dd504907896b516931c9e7

SHA512
043a3f3a338e6bc6936f66a991c7e80694434250d3afa251927286c34185c33baeca31a60f358c8ba112a7051c4382a2cd89d4da40da0749480cc1f44015e937

Download Submit
C:\Users\Admin\AppData\Local\TempBEFPK.bat

Filesize
163B

MD5
5d5193981fbb091f2db96343213a1540

SHA1
ff915d08eb74f807c0f4025cb9328452915d57b4

SHA256
0507bc248992b8bb2868f818afd9557ee243cf4a23ec0600dc075bd545593611

SHA512
22900c727121acdd2e26815c64739c26e94de8e96aada530d44006b47162cefc8200b44829f5da5a3332e4227738a6fe2dab62772ae5987f7521a971bae2dce3

Download Submit
C:\Users\Admin\AppData\Local\TempCHYUU.bat

Filesize
163B

MD5
fe86a1bcc9e6ab20e4c242d1b4b8a4a5

SHA1
8acdd52e21c9479143e8f19462ef8ae7d1f25e23

SHA256
4aade04c584e35c19dc188ec5bbce171d35b47a8d97244022dfd4df2ede1daee

SHA512
063953813d9d26ae3e7deddb68a44145fdbce3677dec57f9d31a6b946ff7bc42d540cf5f0bb5b570c80208fc2034cc0992dfdfcbe9a0abba32014ebe0922d65e

Download Submit
C:\Users\Admin\AppData\Local\TempCLCWA.bat

Filesize
163B

MD5
fd80d8f8b344e902cf2dcfa38eb2e43e

SHA1
96fac1b337511fe6d8a55ff9f1f45823300ecff0

SHA256
1c1a7dfed6994193650cff980c672651fda707f4521f38b3d14abd63830f7fff

SHA512
43048489191906d4787288f1a9a410c7b51ca0d29cb233b6bf126a1c5cdd612943337658bd4a5828d585b0c37f7d1815a3543c774abf96cd022c0cc151519b4a

Download Submit
C:\Users\Admin\AppData\Local\TempFGDME.bat

Filesize
163B

MD5
2660985bbe22ab26d362c4161646da77

SHA1
7c3a04f378ef38e353f3261f540b76403f699261

SHA256
951a05564b759cbe5b86403568f28540f81b8b8042c5ad853422d5402d178096

SHA512
730d8e59c173c01a6f90a6de0bc24fb701a1ff813f7552d3dc2bfca4154aa34d5b605136aee95b21f5055e0cc813b1b2ea2a4adb4dac3e8a98572ad994266193

Download Submit
C:\Users\Admin\AppData\Local\TempFYOJS.bat

Filesize
163B

MD5
acec3fc51c7811103f1765f6f8a05b3b

SHA1
a2b51123cf7074cf80e47a755e74b59191cdd420

SHA256
3259f646f4755eae15fc05089823d0651accfa8d113fad3db263fce7cf6483db

SHA512
01b2b508082fe4e4a1a43a8ca0606a39ab080badc64b43ea51dbd3bd838c651f4d0e60f51f0bf63352a08051d76d50de55a72d948b33b5628adeeb62d716fce1

Download Submit
C:\Users\Admin\AppData\Local\TempGBIWE.bat

Filesize
163B

MD5
ab76ecc74323655ff4be1c0400dfad48

SHA1
44583f4e5b80dae8c8d7d1ba8f05d76e85373ea2

SHA256
31957eafadff16021968a815a4b25af687105bb41a85d3b10536b8e304cacd9a

SHA512
cd43dcbcd99ffbb54e5485304c6048f956edcf341c160a9817050cafb7173ff59ace51ad953c1c63441bd44e7c30f37a4a6526c9036bdd1d1e32248cefa1af34

Download Submit
C:\Users\Admin\AppData\Local\TempGUCQP.bat

Filesize
163B

MD5
4ff1d66e34088078840e9bfb6eedb146

SHA1
8d38af5d68d2bf926e09b6078a60bd1a85eb4b43

SHA256
9365ebd186294f5c3a7613c2f779d3eeed6037afa5c5dd1362c1bfbd14c9628d

SHA512
b9f8854a0e4573fca547d497f0e9d49d171f1a1cc65acac21781b0bc91a45c332c313b011666b9046acc954499694dc099c392a5601717a0984d1b6664f51e2d

Download Submit
C:\Users\Admin\AppData\Local\TempIJSOB.bat

Filesize
163B

MD5
2b7eeeb14ec6097931ae37c3bf3c7417

SHA1
94a21fecc44e5949a9cb3b9fb1c61fcffab03a94

SHA256
1368211a9bb87fbfbe2ca8fc8d261772b0b104c4d010b0faecf88c6fcdd8258d

SHA512
bdbf59c6b0e3adacc4e9534f10cda6dca8418e2f687c664ddccf3a862cbe0fb7502826f8d9b73c90859667e033866c81c9355ef3011c9ac0f622482b0c93e27d

Download Submit
C:\Users\Admin\AppData\Local\TempIRDJO.bat

Filesize
163B

MD5
cd34ee6e32b715b1b71d4824d322c0f7

SHA1
e89256c90ba01fed389f85e990e0475247236fdb

SHA256
1ca5714b0cd5d30c70d4cd620deab6b1fb346ad4cfe14b7ce3010d02878756bd

SHA512
ce26d056d98dfda03ad7ba9f1fe8eb739cd08b64b916936dc03deccafdaeb1ac33858b6e59d99f0f04b2bcb5710a5856ed272fb3663429d1d9c0f83dbf3052ba

Download Submit
C:\Users\Admin\AppData\Local\TempJACDR.bat

Filesize
163B

MD5
207c5e2e589fb20b3290f4adb1e585e5

SHA1
7fef3e2e35d9e04b7e2841eca3b3fd3b740d2903

SHA256
98139c5f13002d6873a1eceb5caa23ae8e4d32856baf9a3ac9a3b60b9fd7bfc1

SHA512
7cdd023c660d4aeb15864141dc0b8e82a8c58b4cd1c15252e11999ef5596b14232238898fdf1b1e1cae084727c68993d40d82ca3055bc55b4e44846a5c72fafb

Download Submit
C:\Users\Admin\AppData\Local\TempJSJGS.bat

Filesize
163B

MD5
9eb43b9e547062da70fd1cd7e9827dfc

SHA1
15ce9f29b42ef489df6ac95df2e374741f053032

SHA256
b5d0bede8f7c9f82adf34662ff8e3a3ef7314265b7bb2617df99790a5b1a3752

SHA512
f39763131b054977727bc7642a87aef5a588ea5310b1ae7888a3b9fc7574e9ea0fa23ac9a4e717a19d474db29f3f6c2063554d6184c6e7aed4bda9ff33ba27aa

Download Submit
C:\Users\Admin\AppData\Local\TempJWHGK.bat

Filesize
163B

MD5
cd7b73ecdab64dfabaa705c8175aa245

SHA1
f28fb8fca424755a0dbd828c77c6d0e583b9fdbf

SHA256
3c9928829d3e5d2b03d80be1301e08e77f42dbd1247665728c0751931459099e

SHA512
bdef52704c32326b0e08a96e910a650a3ee5c5e1ec956aa839bf49bbd0227d87fa540c466686a9616a0cd4e0e7ec55fded3efb66719ca6acf9fd9584e57f489d

Download Submit
C:\Users\Admin\AppData\Local\TempKTFLQ.bat

Filesize
163B

MD5
b26c8cc3ca5f915507cdbd939df6cd98

SHA1
41df0368c5141d0135229e8b792c94bc18980b4f

SHA256
f524ba0a509958fd34d65982d56b0c0da42676ed927bc88e19ac90a611b839a3

SHA512
57278b1b8023f38c0da26b937adf984b850efc224b9a1f73731a80a69e3235bebff9ed8c5d1b6a725ff89aa887f2b13bf5af20a3dd6eec7efff4b3ca9afee655

Download Submit
C:\Users\Admin\AppData\Local\TempKWHGK.bat

Filesize
163B

MD5
5afdc54e0196cc5ab4ea6bccfc4f6092

SHA1
8377d18b05d5424aa9ab36ab527fb133d9e6b581

SHA256
5d43c8fbdd4e5f11bcca6a5ed4fc910b9bbbb671294783503e98928423b9cc19

SHA512
fcb0d4ba0ebfdbe270a8950cd347afc1c05eca3cc11ee4bbff2b97298ad00e2e5d01bc3296c5009fd01c78d8a6cf0ac388327d258ef7a9a1d169baca70bdc17a

Download Submit
C:\Users\Admin\AppData\Local\TempLHPGE.bat

Filesize
163B

MD5
aa1f68047651ea720dc491065c68fe9e

SHA1
14b00a26e5e9e81bdd99db99a7a51c476bd652fc

SHA256
d9d53b8f23bfd4d55847065872a4f0854c830b246327b9d0def6d8fdb9521ec4

SHA512
50f50bb90bac9cf253ea2b04e8c96ba929db4e83257f66d03cac4237b0b854c5e99da20cb7096cffe9b46167f84ea418ce3040857a1345c52173f3084f13b088

Download Submit
C:\Users\Admin\AppData\Local\TempLIRDJ.bat

Filesize
163B

MD5
b99a301236f50f2d0c72dcd9e52d6e17

SHA1
e58c463173a9d6c33b5194266f446bfd6abaf428

SHA256
58ba9c92d951b80e926d4339f3589be900b98d34e25c23154c4ceb5364b7cabb

SHA512
51777be3f83e18af9d3663b241200c5893b4beb6e950df565deff231b87b56db4264639efa61d53f1e50265df9b36ee7d75e609053a32aaaf8d9e95df90e244e

Download Submit
C:\Users\Admin\AppData\Local\TempMIQHF.bat

Filesize
163B

MD5
ddac971a04e378bbf2fd94c2cfbf0a12

SHA1
b0997067e289db5fd785df179e7defba37f15601

SHA256
6c5a3a5caf34735397e2822195e083946304651ffbc6d13dbf20d8c4fe48c65f

SHA512
41edea125d01c05b4baf01087ec8f77541c4eed84e06f8409a5afb242a5be4b457e19ea3ad67493504edd06228397959ff0c41c12a0253385a23df867e1191a9

Download Submit
C:\Users\Admin\AppData\Local\TempMIWVH.bat

Filesize
163B

MD5
744a5026709d2e515773358787335ddd

SHA1
30e8cd8484237258baf44dbe7519134890471634

SHA256
275ff9d4af6a5aa1439bb2288cb5bb576546130da74f614bd575738da1bb21e9

SHA512
7f2de32cf6b2874543a0c05b18c146bbcc804509cbd040f66d6facd63d56f0a765cbc9e14e513cff32fd8cc7d475c8532e11fa135fa94f76c233b369eb54d33a

Download Submit
C:\Users\Admin\AppData\Local\TempMJSEK.bat

Filesize
163B

MD5
28e6280656f4432f6c5cf2f7d1efd4e5

SHA1
e9d7fe148d5eb7b565137843359fb0feef7fe28d

SHA256
df6d7e81b8746e9ef08d113859c81bd6554252f7842c8952e529c272b52aca6e

SHA512
ac26c666b19df427db6fc0c858ab698dd3e2ef50118e43134ebd4785614900b814a508970effcdfd90f850328bf3925c2cfafda37e01cee2dce0e624908e296f

Download Submit
C:\Users\Admin\AppData\Local\TempMQRWD.bat

Filesize
163B

MD5
c17aba3458db09b1fe59ed713fb2493a

SHA1
dcb2d244fd25ae66988439fc6c932cc4bef151bc

SHA256
da27fcd6e663effa63dad9f30a8f2dfc30f26422fc98a28ceee9bdc53497aab4

SHA512
a8220b03368da9e5056492fc7e266db8aac00704780bc328e896d3636c878843deaa6735fc1e7f72e07862c920f132f5fb6acc52799ee400ead60d482ca385c5

Download Submit
C:\Users\Admin\AppData\Local\TempNJXWI.bat

Filesize
163B

MD5
38b66b593318e58e3480040fd5ee708e

SHA1
1dd0fcfd0a26408d0e1aed45fb505a9f69ab3467

SHA256
95a6bc00656fbf57c960aa3e077c1b75c5c25da37e1d47c6057f8079a0fcab40

SHA512
c4361a8681f57407cd019ee9a306271a8fcb1fd547bcad60782e77a91691c22821fcd3901bae3b871ea45d0d67b0085a48b78bd586bd406cca33827d78eeecbe

Download Submit
C:\Users\Admin\AppData\Local\TempOXTAG.bat

Filesize
163B

MD5
2118c484011657bb2f027c36614811fe

SHA1
9c5b53ed55ac5bdf37d7c52843939da590a929a9

SHA256
81322f5735f7341a4981e04b5892ad8673da0818112bbf132f90e60d33d50266

SHA512
f57cc610c09986e76696a0776a3121534a1666782b1eb630fdcf9ffca68acad4a42b3494afcd609fe552b6a3dc6850be76bb5ec3c073be55ec12dda8334ce107

Download Submit
C:\Users\Admin\AppData\Local\TempPVHDN.bat

Filesize
163B

MD5
5c96dce87d5f9c44e3852db1e9d71680

SHA1
9523de4d2e5d84c50838ed7b01b6fbfa39e41e03

SHA256
b8afca2f80ee30f7848ca34ee2ab813976a26a4302e152cc64daee955cefccc6

SHA512
d4fa3a3589867faa1e0596cb6008f855a7b5e63bdbe893a14979d92490384bf9fd1638b9d31d2eef83118d36818bdd3a647d136095764095b6981314d2a3ed35

Download Submit
C:\Users\Admin\AppData\Local\TempQUPWL.bat

Filesize
163B

MD5
608ee5680b0efcb54ce68f13e4dbdded

SHA1
b24ea2e1dfad3981363d6d947177f7e55dca9b68

SHA256
79d6ccd2d33cd27984aab983eb4662d762eda7dde6eedd63993237506a6f7b92

SHA512
85d1d40793b775e5356250fe38dfceadae45fec7b53151903d7009507cb0c39c3026f4071f1c9bcbf6a3bbc246af2e6998cf539aa9f091ba4b25cfc8459e8fac

Download Submit
C:\Users\Admin\AppData\Local\TempQUPXL.bat

Filesize
163B

MD5
5d0d5ad40d6fd09a0d716640cbfa1ac8

SHA1
ccaf0e23a3cff154b4863714b904dde9f3a05e47

SHA256
7e9d503b5dcf215ce570cee881dbf382d056c6d601e8859ff668b1348cce0159

SHA512
8b6a6f15623f84655016c2877899c30d5b3e475d666c3f08a175f1efcdd08231927338c839d2d3f4d9fb7ab6c58c68df1c09b8e28277ca9bc8b1a92d8961d4f2

Download Submit
C:\Users\Admin\AppData\Local\TempQUPXL.bat

Filesize
163B

MD5
e51988ed7528367792e2a7e6b00bf24f

SHA1
e459aa5892924463a17cdcedf2ed2b699af6ed54

SHA256
021f4b069bdd9363e0c75deed818d8b318de2042b5db7dd1fd6071cd1f4e26c6

SHA512
0f2cc50450ece5584f5c0fc15bc1832545e4d9633827bb0505dcdff70209ae00f1746ffaa1994f58fa8720a623ac50f2354ccebc2b9f2ee13ca50c8ce54b3118

Download Submit
C:\Users\Admin\AppData\Local\TempRSXEE.bat

Filesize
163B

MD5
a478e8f8f142e4253120ac7fd7801076

SHA1
a1d9e3bcdf76515526ce241ba648694c07929641

SHA256
e6f8372829ed6988fc88246576f9edf7f3424e19bb318ff66b6ab0f996b1cdfa

SHA512
5ceb60f7facffdc0666046a428f4f4c433a3dca1c1947605874eae8352c782b03d85d41bb848088a4e3e2bb57a35b8d9d06d4fdf44f64f34385e287bab8aea31

Download Submit
C:\Users\Admin\AppData\Local\TempSDWWL.bat

Filesize
163B

MD5
f16c1205b7c8cd72877428f0b354cb86

SHA1
84a0cb14be7cb50b297871f4f955eec063c295ef

SHA256
9c38ec8952b4a829487fa54366720be3295c805cc78973c4a89d51dcddeccc5e

SHA512
5ef4b9f9a9df86623d30932f85948a6318bddd7620ea86f91a39fef1e5ba30355b7efee4adebecc157eec77fdce2855b8ffd5332df76915d6cbca45326cd446b

Download Submit
C:\Users\Admin\AppData\Local\TempSQUPX.bat

Filesize
163B

MD5
e0f677f72902ef7d6bb49feecb3e5600

SHA1
6cffe2e607437fb0c91d68ce7a903b10062ad270

SHA256
304a0fcfe0aa75d30c4a4035398b7346cc0c1d75b5a6d2c2998b3f2b9b125adc

SHA512
bd7dda53c51450a81ef714a51ca295a0f0594c7cd84673c162678534110806d5045696dca4494bf7a1da9ee92dd5f45e278b91c8309b999fa73070e72fb25758

Download Submit
C:\Users\Admin\AppData\Local\TempSXIUF.bat

Filesize
163B

MD5
06d40ea71e8f686e06d134d224dadfe7

SHA1
5dbe4170f338a50cbfc52f5bef95142b1e462292

SHA256
ca66db2c89f016590ffcd08e12f86ef9fd4f9edc7a4808963a19166fa3a07b49

SHA512
e4905d20016d03731f76d3565e0dc5a0c0a0f9b39db52e90677c8979027ae86d45da8e9c1f467deae8d8b477b64c45922d8316b4c069ad404e589b3d2d16c9f1

Download Submit
C:\Users\Admin\AppData\Local\TempUQQFO.bat

Filesize
163B

MD5
27ff039d38045762254339ac930649c2

SHA1
ff4084040a1a798a39f0e3a3fbdcd2ccf4c4b303

SHA256
c67cf4c7d760f4ada63e9f3c5a9e5c5b65c15221d25ad0d38a19b607d3e6bc0a

SHA512
bb4e2e7847d75d72f61dccbaa24970edf6a4f4a17190b658b95f32eee95481ce8a267da8850decb48de33dfa9690eaad84eb02c9d87ee4be9ca17bbf1be89b67

Download Submit
C:\Users\Admin\AppData\Local\TempUQYPE.bat

Filesize
163B

MD5
474a8bdd998702329cbbfa871ad3275e

SHA1
49ea6726c74b64e11dc8a51df2016325bb13e021

SHA256
b91062336967dce92dba34e0dfc4a6f6a491b162b43473e1c80123cc2afba95a

SHA512
d6e92f1ea542187de6d2e5d5eeee2d898972be84497eef7017d755c547e00bc64dbb71491a3dd2824c0309cbef237d241c9b7abd05ae29ab9e789a6aea661b15

Download Submit
C:\Users\Admin\AppData\Local\TempVHFJE.bat

Filesize
163B

MD5
b27276983c118e15839b76dc75c9dc28

SHA1
d728189a4f0cb8d008e28313340918768a6d8550

SHA256
52dc9e048ca29a43a5404b9a3172d2be99420587b8505f17208854938716471f

SHA512
a3808f557c92260717a993f0be4e46e03ba562c63bd013137bba6037cebf0e62814ba8cdd00dad5797dff5b27c51d24d10bc3fa0854b4361bc4e84b90b8233c4

Download Submit
C:\Users\Admin\AppData\Local\TempVHOSE.bat

Filesize
163B

MD5
bd6ef03451e88caaeed81bf9d7823359

SHA1
62809a2376a8a11b5fc13c8be32396c6078efccf

SHA256
5e8268494d3c001d1ed6eaeccf7ab3724d016fde8d7ea75ecbff7f63f6281ae2

SHA512
9f6255bde0d7d40a546237a6d62a83d6210c20c1fd9a89e82e7f89d550e42f4119f56c7afa7d8e4c4b7fc3a55fe1408bc12c23df9b52f6aa953f9e974a4a7be3

Download Submit
C:\Users\Admin\AppData\Local\TempVLXIH.bat

Filesize
163B

MD5
38582d0b8684e515acc8a0b855142358

SHA1
091d9a23d9ea9a7fa0a7583fc3233521f038d3f8

SHA256
86ace41294290c8dd92509de6b1a6245e1ac20c41f4f1d7501be7ee721223776

SHA512
b5b207d182e0c3b8ceb79160238c24e6af6c482485d77c2b2b4bf0130611db60c503c2b1f6bcf4220328862c7ff650a3ac4f508dede00b8e50e3dcd92241a633

Download Submit
C:\Users\Admin\AppData\Local\TempVQQFO.bat

Filesize
163B

MD5
dc6e6b03e08898da435639b5b53df40e

SHA1
dafa959c096a745c31a606c6df7724fcc15066cf

SHA256
28ab08fd2d055993987855c23566b0d271e68043c5e9a02bba9957989df6a578

SHA512
6841cad3958b173fb9491bd98a9c3ac27441867f61c950dd622b0126efd8671fb2488f34e8f7efcc10708a4d4954ba0caba15753811f47628d82156d3eb8d48a

Download Submit
C:\Users\Admin\AppData\Local\TempWALXJ.bat

Filesize
163B

MD5
f1444454dfc517ae3bf1e9e1ec8f4c65

SHA1
146a57a9befc771dbb4d91f720f2e000bea9a719

SHA256
d150d7406c0c9fbc925097830b5a9a79a51f1bbd9bb94a83b6fd51125c19e662

SHA512
673e3fb88ddd0d89330d962b7af19cb44f34a8fd5c8a95a7c904aed6b5e44b8a2256e46a19e7266b33913bb312e415c185d9da971155a3c50325e11d991865fb

Download Submit
C:\Users\Admin\AppData\Local\TempWCUYT.bat

Filesize
163B

MD5
797a05802a5f3d6699024252559afe38

SHA1
ab85f1b33d35de1a5d5f55187c816bb4237eeca1

SHA256
16ece4416c7c79a88f037672e5112e72167eb8966b82d95dfa64060b2465f074

SHA512
73ae53e16e0d28cb8f05850a58e3cfe2cea6364681d940e303acef6f7c82d2fd074bf7bc20eac39b43e87fbc658367806467cad260307ceec19e8a13faf27a4d

Download Submit
C:\Users\Admin\AppData\Local\TempWRRGP.bat

Filesize
163B

MD5
aa7685ddc11f64b6cd488f675eb99cd8

SHA1
35b23f577124bab87af125549e6e0c1ab84269c3

SHA256
fbae7c44f8d524c51d742c91b1fa45ca8efc06fb7a67adecfc7ccab60a6fbb0f

SHA512
72155219fab90f14d48d356578d9a119a39ba3fdb3d2dbbe50bf3bfa1aa8fba1e593d3475c50cae4b11d1220aa63a8f5a143897167bf973ae60e48cc4a255700

Download Submit
C:\Users\Admin\AppData\Local\TempXAMYJ.bat

Filesize
163B

MD5
3064c9a63e8f85d6ea4736364aefe08f

SHA1
40adbf73e2852068eb366e171948fa4341cf70c3

SHA256
c3204a86ca655c286298e56b5bf3ccad1c57d4bd9f1a223a326bb408f92d9dd5

SHA512
f46027d46149395dad5e4fcb0c8f7358fb7b1bf88667575b15c7e7f65f9744c34d4b985321467d48c79ea481f8289cd37d31d90f604ee01b558abba451382d9e

Download Submit
C:\Users\Admin\AppData\Local\TempXCHWX.bat

Filesize
163B

MD5
1a5a28b8f510f96ee1d7387636a63f84

SHA1
a8fc540ee4341ef2937a582b1918e3348bd13aba

SHA256
9aed1fa7ce1d809f6d9f32ddfb351b0234083a9c981cc16a79d52c8dc88d9b38

SHA512
3b37137a0e338a79188082fe7579536a1135c411a5dd9360874af1bec8b0c5c531d5e6daedb3a917c2e7e51a7d251da05910dda1dac8f256573b673c451a6077

Download Submit
C:\Users\Admin\AppData\Local\TempXGGPL.bat

Filesize
163B

MD5
a70a9dfb51a011a4d5c0ebab233c466a

SHA1
50fa4c4aed69fe490b58985c672117810239b66a

SHA256
5d2571f85391130fdd77d1def5dd9cd247accacf0e82c6d1eb19791ab167897e

SHA512
f44825ec08f3db15b3b5a20fd412a414256f2a64db2cfb92c24340e5fae74ec4c20e1b646ea7c2261e46c51d08715111c4e93a13d4059a4876f8c7b20b2a4695

Download Submit
C:\Users\Admin\AppData\Local\TempXNIRI.bat

Filesize
163B

MD5
0b49f0968469d582ac44f2dc73dc3f60

SHA1
572b6128095b21b80511a93b027222c87d3663db

SHA256
6352c9574dadb816314e9b140f29b376fb0119ae4ee41c5f3afc8cc0a30f47f9

SHA512
570727278ea995a832a4be77a84939f3b4d5a4f22d4e2150862931d0cf3b2a1f6731ef9a795d429af37a34d1127f9b00014be441c18fad92fe7eda74c643f0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe

Filesize
520KB

MD5
675a290cedee925a08c5aa84bbc0c5e7

SHA1
89f30d7d6d941bbbc7979aa253550ea054852241

SHA256
8166f953253cc37901970ff0cb29d7d732d884590be477694e52b169fd7526d7

SHA512
47ab3689dea9673e6d3738d9f52fe225462abdec971012a4aa4fa2a045c17c99f6f125555a1839a6b3e8e539f9238db3cf6aa1c3275e78042715d1152389eda9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRIQFPFB\service.exe

Filesize
520KB

MD5
714d545d64322570049d2bc83ae0766d

SHA1
fcfa3d2c7ec9adf1672ad1e1a58291e7b4d06d65

SHA256
ab26d2ebeaf6effc553e88499843c99975c8c331ef67a6391040fb9060eeba3b

SHA512
958b7b723bc874e7d7f069cbdd44f05e48a503924dcc60c9a6a48838ce483d1023fa3386e7a3b1ee2d1d7dff6636c11d6a1e4551b4c7b34b2a2ad0fc5d2552a0

Download Submit
\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe

Filesize
520KB

MD5
45b5a0c9e6b57c4d28a1de6aa9b7a2ba

SHA1
a633d36ba70ab040e2b029f9e1d853c38935e62d

SHA256
3c2ef3b8cd6e87461c7eecca24fbaa1ffa6fe6e955fa2387ca0948ca5e196f59

SHA512
84cf0c1d8f4838a16b0b1e017dc077144754cc1355ba8ef762a109fbdb2b6624b5269429953bbde90dbc879d9d1488ddf4d357fa7b011a9b2e12ffa9e2460c53

Download Submit
\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe

Filesize
520KB

MD5
94b39fae989229a447848dbc7a3676b8

SHA1
8d064a8cb32a38518b6a059f26ab72fb5c1e8584

SHA256
d9947b7327665191d3aad104ee7746101f451f7bc7ab285b57b97b555179ab60

SHA512
76c8adc3fdba0f9a8e4a4a57af59b006ac5fb74a115021034dac918d8d8bcad1e59a679472354979ca3f07785ac94c55f210b5ddc2dd7976d1dbc50799ea4126

Download Submit
\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe

Filesize
520KB

MD5
14cba177d1fc7e6f10e84f1cd2ebc1ee

SHA1
fcb7d4b762aed98a2c1fab0de1e0175434c6ca2a

SHA256
e839d62926fa4feefcd95e67f7f6f90c6e23ac9727d662ad0c6be048661dd6ce

SHA512
7d107a956f67bfea5379f5dfc67d6cb12408645f145c05c16490fa174f3d309de91dd7312bd47066a8f150d219d2be1dc795421dec95e1d6311820a911fe2fe7

Download Submit
\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe

Filesize
520KB

MD5
4093e616a08748bac28fd63f4c311927

SHA1
c99e35c80bf06b06908dd6072757511967dea686

SHA256
56fb121731a6c2061e5b6e4e64c4dfdcb818bd1ae777b7d73f1e8707762194d0

SHA512
d7e50f817476230ba175b2f9965cfcef0176fa11fbd8dbbaa47ff8878ba2b255b0b443ec53cbfab34ea212dcecda49918da4023cef048022f7d8a89481c06df4

Download Submit
\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTQAL\service.exe

Filesize
520KB

MD5
ec0fb4e8fde411bdeb4792edee19ef1c

SHA1
034871239f9922288dd4ae89b6475cf88427e984

SHA256
d00da003dd5082f040250be4036580d0e7063b64a74e3b9e39662f0528d43925

SHA512
b0bb7baf26378b509ac264578701f245f9fa987e34ac782bdb8eb5afde9b2b6263e3131a899e22d494260eb629a4bd0e19ca9edcf4901072bb972220a5d157f1

Download Submit
\Users\Admin\AppData\Local\Temp\KDSCKTPKFEUVSBB\service.exe

Filesize
520KB

MD5
e092002adb81e3bb02e276dc34452a4b

SHA1
9f213ca097edafe9aa837abbca5186ed4035aa68

SHA256
e6242ac174a1accaf94a27b81189e09927e56f395d80f95eec7cf04a5212a763

SHA512
d7d8d8438960e7a0bd6dfaccc70d8887643d26e48996d4f67bef7288b6864c5e2a721728f7e38398058617790c8188f797b2f26962d359cc0991516ec715c738

Download Submit
\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe

Filesize
520KB

MD5
aee7dcb4582de53bd7c0bea0e313d55f

SHA1
4a3dd072a9c8cf5549532f8870be721d5d4c53f5

SHA256
5b7a06b1a3d1bbe7823c23a2b9dc62217f08122707ce2cf69cbd1f36087928f4

SHA512
2893d86aa7787a2fd62051d9012a79146c0aeb0edffc25cce1045fee2bb46080ac6a0db53d272333f7091c4dd48027826160fbf133744c3fbc88e7a3f53c615b

Download Submit
\Users\Admin\AppData\Local\Temp\ORGAYXFPFKCTKJT\service.exe

Filesize
520KB

MD5
a677802f298e04a22a5a045c284981cd

SHA1
f2bbe72e2fbceda2e843029420f6550a7c8ebca6

SHA256
324f2ae7b2edfe72af773de674ee3626b0cb65e9e6162c487568a633e9b9dd20

SHA512
ac2665e42bcc8fb5147621823a506697fee2a098553b285d82b5815f58b29bf6665f02f3311c0196b08de9b5625021b64f937bcb4d8ce5b1739ab76a1b90ade1

Download Submit
\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe

Filesize
520KB

MD5
c14c6105d55fc19e71227a1f463000cf

SHA1
5e182f75a637a0457261014aa2509a3a231e498b

SHA256
2e17d149e8f0caaed69ebf4166bbb81b855019c2753a6026858ce45ebb8da657

SHA512
264c17f42d1e107295ef0fc81cc6c6d24c2e4c2a945a9120615394dfeceaed4caa7208fcfa410fffbde1475d865382b20641bf62b332b9b0b7988c1b44c4780e

Download Submit
\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe

Filesize
520KB

MD5
5bad1d3ffb42db89ed5b3adbf85f8cba

SHA1
6f46f857f4e29ed7694e2b4adc2ef4214a41b644

SHA256
446f9204b13300470575667ee5887acef1b4e0914ee78b31e29b60f1b39092e2

SHA512
183b5eba1777950748f767986c0d5ffaf41f970389fe346b87123a5a605a6f9b5ee0ca1c21ebd74c80f418863268996f28349abaa802bfc6cf425b79c6f54e95

Download Submit
\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe

Filesize
520KB

MD5
6dabcc85218fc8c797dca9bd5b3d2274

SHA1
f32e67ea35d8289ca5074c23147b711e86c7a0b4

SHA256
ec364b84d3b13f771d59c5ebb62be852b11ca6397d9922e9baef42b35f45c2c5

SHA512
9eeff4dc3534016c72a88c090945451ee47d444dca5d39139dbb8e13fb0344acb1fb6dfb286af65526b5099cc772129ba17166735371cf20ac0559a9193988f9

Download Submit
memory/2096-1126-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2096-1131-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2096-1132-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2096-1134-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2096-1135-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2096-1136-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads