cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250be

Analysis

max time kernel
110s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe
Size

520KB
MD5

4f145030e1545cc01bfa347441a5b5f0
SHA1

23be52f419d0c0952d6badd58494a0bbd70fbeea
SHA256

cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250be
SHA512

c08aa11f69d58d9555c5f1fddcecd8a79a0e9286d7d8247a82db0e124c56d927f2e759cd553f2a85a78c2ad3a81f18dd88c4875b3271bf90c8baac9a3fe606c2
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXt:zW6ncoyqOp6IsTl/mXt

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRAYTJWEN\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Checks computer location settings 2 TTPs 34 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 35 IoCs

pid	Process
4772	service.exe
2996	service.exe
4484	service.exe
932	service.exe
1080	service.exe
4820	service.exe
4140	service.exe
5060	service.exe
2104	service.exe
2756	service.exe
4948	service.exe
852	service.exe
4764	service.exe
1640	service.exe
4132	service.exe
4704	service.exe
5064	service.exe
4364	service.exe
4836	service.exe
932	service.exe
4132	service.exe
348	service.exe
1984	service.exe
4176	service.exe
4764	service.exe
1524	service.exe
1004	service.exe
1260	service.exe
2632	service.exe
4448	service.exe
3372	service.exe
4968	service.exe
932	service.exe
3468	service.exe
1800	service.exe

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RDLCUMIDTMNWMNL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GBXQVOEOIGJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UYKLIRDJOBEQRMK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYAGOG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MIIUROSNVKLDKLT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFFGBGCXRFMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IRNIYRDSCSTQYKR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTJUNLOEJXWIQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MABWSNAWIXCHWXU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CPLYOYSQTEIOBNV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ONRFIECTYRHHJEA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LOEWUDXMCIAQHGR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDDFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIWDMDX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CNSPDPAXDVUQREK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQQAXMLMIGNIYLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AUVJWHGKXYBLRYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWHTSTPNUPFSAJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SXIJGPBHMADOPLJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRAYTJWEN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FSOMRDRTOHKLVQE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENWEBPTYFGDMEJX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FERHVRPUGAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSPJEETURAA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BYMYJIMDNTLCCEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVUWRPWSHVDLCX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LJNIQEFYWFFYOJS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROWJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TSEMEVNJEUOPYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBRMAHCG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JYWFGRXOMQLSHIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHXGOCCDYDUPCJE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LGEHXKRBMRBOWCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUQSWUXINSFCRRE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\REMDVNJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYQWPFPJHJWXES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DSSFHCACXSGNIMJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYDVTCWLBHPGFQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LHFVTKJLGDENJXW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVTWHMREBQYQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LBNOJHKNUEPUERC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBVXLQVBCAIB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DHMLTLAURLVGWBG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSSTOMTPESAI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TSEMEVNJEUNOYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPFQJHKWAXF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VVJKFDGWJQALQAN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BLYUCXNRWDEBKCH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ONHQYIEPIJTWXJK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKBLEYCFVRSA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BYMYJIMDNTLCBEF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVUVRPWRHVCLCW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TQOSNVJLDKKTPXO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERWOWKVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VSQUPWLMELMVQQF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQGRKILXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VRFRDBFXXTUHMTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCOOPKIPLAOVEQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QCLCUMIDTMNWMNK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBXPVNEOHGIVVDR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QMANYVBTXSOPCIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIJCWADTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGHCADYTGNINJVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IVRUXWYKOTABHES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GLYHHTQNRMUJKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEEFAFBWREL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JWDMWUEALEYFWPS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPIOVGHAUBRNYOK\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3468 set thread context of 1800	3468	service.exe	239

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2244	reg.exe
4044	reg.exe
4632	reg.exe
2868	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1800	service.exe
Token: SeCreateTokenPrivilege	1800	service.exe
Token: SeAssignPrimaryTokenPrivilege	1800	service.exe
Token: SeLockMemoryPrivilege	1800	service.exe
Token: SeIncreaseQuotaPrivilege	1800	service.exe
Token: SeMachineAccountPrivilege	1800	service.exe
Token: SeTcbPrivilege	1800	service.exe
Token: SeSecurityPrivilege	1800	service.exe
Token: SeTakeOwnershipPrivilege	1800	service.exe
Token: SeLoadDriverPrivilege	1800	service.exe
Token: SeSystemProfilePrivilege	1800	service.exe
Token: SeSystemtimePrivilege	1800	service.exe
Token: SeProfSingleProcessPrivilege	1800	service.exe
Token: SeIncBasePriorityPrivilege	1800	service.exe
Token: SeCreatePagefilePrivilege	1800	service.exe
Token: SeCreatePermanentPrivilege	1800	service.exe
Token: SeBackupPrivilege	1800	service.exe
Token: SeRestorePrivilege	1800	service.exe
Token: SeShutdownPrivilege	1800	service.exe
Token: SeDebugPrivilege	1800	service.exe
Token: SeAuditPrivilege	1800	service.exe
Token: SeSystemEnvironmentPrivilege	1800	service.exe
Token: SeChangeNotifyPrivilege	1800	service.exe
Token: SeRemoteShutdownPrivilege	1800	service.exe
Token: SeUndockPrivilege	1800	service.exe
Token: SeSyncAgentPrivilege	1800	service.exe
Token: SeEnableDelegationPrivilege	1800	service.exe
Token: SeManageVolumePrivilege	1800	service.exe
Token: SeImpersonatePrivilege	1800	service.exe
Token: SeCreateGlobalPrivilege	1800	service.exe
Token: 31	1800	service.exe
Token: 32	1800	service.exe
Token: 33	1800	service.exe
Token: 34	1800	service.exe
Token: 35	1800	service.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
1136	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe
4772	service.exe
2996	service.exe
4484	service.exe
932	service.exe
1080	service.exe
4820	service.exe
4140	service.exe
5060	service.exe
2104	service.exe
2756	service.exe
4948	service.exe
852	service.exe
4764	service.exe
1640	service.exe
4132	service.exe
4704	service.exe
5064	service.exe
4364	service.exe
4836	service.exe
932	service.exe
4132	service.exe
348	service.exe
1984	service.exe
4176	service.exe
4764	service.exe
1524	service.exe
1004	service.exe
1260	service.exe
2632	service.exe
4448	service.exe
3372	service.exe
4968	service.exe
932	service.exe
3468	service.exe
1800	service.exe
1800	service.exe
1800	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 1468	1136	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe	87
PID 1136 wrote to memory of 1468	1136	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe	87
PID 1136 wrote to memory of 1468	1136	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe	87
PID 1468 wrote to memory of 464	1468	cmd.exe	89
PID 1468 wrote to memory of 464	1468	cmd.exe	89
PID 1468 wrote to memory of 464	1468	cmd.exe	89
PID 1136 wrote to memory of 4772	1136	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe	90
PID 1136 wrote to memory of 4772	1136	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe	90
PID 1136 wrote to memory of 4772	1136	cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe	90
PID 4772 wrote to memory of 4476	4772	service.exe	91
PID 4772 wrote to memory of 4476	4772	service.exe	91
PID 4772 wrote to memory of 4476	4772	service.exe	91
PID 4476 wrote to memory of 4900	4476	cmd.exe	95
PID 4476 wrote to memory of 4900	4476	cmd.exe	95
PID 4476 wrote to memory of 4900	4476	cmd.exe	95
PID 4772 wrote to memory of 2996	4772	service.exe	96
PID 4772 wrote to memory of 2996	4772	service.exe	96
PID 4772 wrote to memory of 2996	4772	service.exe	96
PID 2996 wrote to memory of 920	2996	service.exe	100
PID 2996 wrote to memory of 920	2996	service.exe	100
PID 2996 wrote to memory of 920	2996	service.exe	100
PID 920 wrote to memory of 3092	920	cmd.exe	102
PID 920 wrote to memory of 3092	920	cmd.exe	102
PID 920 wrote to memory of 3092	920	cmd.exe	102
PID 2996 wrote to memory of 4484	2996	service.exe	103
PID 2996 wrote to memory of 4484	2996	service.exe	103
PID 2996 wrote to memory of 4484	2996	service.exe	103
PID 4484 wrote to memory of 3404	4484	service.exe	104
PID 4484 wrote to memory of 3404	4484	service.exe	104
PID 4484 wrote to memory of 3404	4484	service.exe	104
PID 3404 wrote to memory of 4792	3404	cmd.exe	106
PID 3404 wrote to memory of 4792	3404	cmd.exe	106
PID 3404 wrote to memory of 4792	3404	cmd.exe	106
PID 4484 wrote to memory of 932	4484	service.exe	109
PID 4484 wrote to memory of 932	4484	service.exe	109
PID 4484 wrote to memory of 932	4484	service.exe	109
PID 932 wrote to memory of 1648	932	service.exe	110
PID 932 wrote to memory of 1648	932	service.exe	110
PID 932 wrote to memory of 1648	932	service.exe	110
PID 1648 wrote to memory of 4424	1648	cmd.exe	112
PID 1648 wrote to memory of 4424	1648	cmd.exe	112
PID 1648 wrote to memory of 4424	1648	cmd.exe	112
PID 932 wrote to memory of 1080	932	service.exe	113
PID 932 wrote to memory of 1080	932	service.exe	113
PID 932 wrote to memory of 1080	932	service.exe	113
PID 1080 wrote to memory of 1744	1080	service.exe	116
PID 1080 wrote to memory of 1744	1080	service.exe	116
PID 1080 wrote to memory of 1744	1080	service.exe	116
PID 1744 wrote to memory of 4444	1744	cmd.exe	118
PID 1744 wrote to memory of 4444	1744	cmd.exe	118
PID 1744 wrote to memory of 4444	1744	cmd.exe	118
PID 1080 wrote to memory of 4820	1080	service.exe	119
PID 1080 wrote to memory of 4820	1080	service.exe	119
PID 1080 wrote to memory of 4820	1080	service.exe	119
PID 4820 wrote to memory of 620	4820	service.exe	120
PID 4820 wrote to memory of 620	4820	service.exe	120
PID 4820 wrote to memory of 620	4820	service.exe	120
PID 620 wrote to memory of 2136	620	cmd.exe	122
PID 620 wrote to memory of 2136	620	cmd.exe	122
PID 620 wrote to memory of 2136	620	cmd.exe	122
PID 4820 wrote to memory of 4140	4820	service.exe	125
PID 4820 wrote to memory of 4140	4820	service.exe	125
PID 4820 wrote to memory of 4140	4820	service.exe	125
PID 4140 wrote to memory of 3668	4140	service.exe	126

C:\Users\Admin\AppData\Local\Temp\cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe
"C:\Users\Admin\AppData\Local\Temp\cec5b57d5d76e6051d098c5a1247e70e9fab4bf98370f3c07924d958607250beN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNCQXG.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UYKLIRDJOBEQRMK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:464
- C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe
  "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHPBIN.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONHQYIEPIJTWXJK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:4900
- - C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe
    "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTBPOA.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:920
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYMYJIMDNTLCBEF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVUVRPWRHVCLCW\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:3092
  - - C:\Users\Admin\AppData\Local\Temp\GJVUVRPWRHVCLCW\service.exe
      "C:\Users\Admin\AppData\Local\Temp\GJVUVRPWRHVCLCW\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYPEN.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3404
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIIUROSNVKLDKLT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXRFMH\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4792
    - - C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXRFMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXRFMH\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBPYPJ.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSOMRDRTOHKLVQE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENWEBPTYFGDMEJX\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4424
      - C:\Users\Admin\AppData\Local\Temp\ENWEBPTYFGDMEJX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENWEBPTYFGDMEJX\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IRNIYRDSCSTQYKR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDMYVU.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQOSNVJLDKKTPXO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEPVMK.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABWSNAWIXCHWXU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVWTCO.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DHMLTLAURLVGWBG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "
        11⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOBXWA.bat" "
        12⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSQUPWLMELMVQQF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBLHUT.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONRFIECTYRHHJEA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQHGR\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQHGR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQHGR\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
        14⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "REMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYYNW.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VRFRDBFXXTUHMTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVEQ\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVEQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVEQ\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTFMQC.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLCUMIDTMNWMNL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVRPTO.bat" "
        17⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DSSFHCACXSGNIMJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTFLQC.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QCLCUMIDTMNWMNK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIVVDR\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIVVDR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIVVDR\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTYFGD.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWUEALEYFWPS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDDFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRRCWV.bat" "
        21⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNSPDPAXDVUQREK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTBPOA.bat" "
        22⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYMYJIMDNTLCCEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMUGNR.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEVNJEUNOYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPFQJHKWAXF\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\HDYRXPFQJHKWAXF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDYRXPFQJHKWAXF\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYATT.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QMANYVBTXSOPCIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJHTQP.bat" "
        25⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LJNIQEFYWFFYOJS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQUPWL.bat" "
        26⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHCADYTGNINJVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIQICL.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LHFVTKJLGDENJXW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAFXWS.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LBNOJHKNUEPUERC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMUHNS.bat" "
        29⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEVNJEUOPYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe" /f
        30⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSOXO.bat" "
        30⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GLYHHTQNRMUJKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWREL\service.exe" /f
        31⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWREL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWREL\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHIRMV.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFGRXOMQLSHIA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYVBTX.bat" "
        32⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVJKFDGWJQALQAN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BLYUCXNRWDEBKCH\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\BLYUCXNRWDEBKCH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BLYUCXNRWDEBKCH\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYTPPQ.bat" "
        33⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LGEHXKRBMRBOWCU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe" /f
        34⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJACDR.bat" "
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUVJWHGKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLBOWF.bat" "
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXIJGPBHMADOPLJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        38⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe:*:Enabled:Windows Messanger" /f
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe:*:Enabled:Windows Messanger" /f
        38⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        37⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        38⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        37⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        38⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAFXWS.txt

Filesize
163B

MD5
f05a51105beb2e8ddab61330ec19ed9c

SHA1
080f88c2103fbf334f86127cf7a26257ada3698f

SHA256
3e667661e3d261c70499c3627da5304c8cb5dbbf9f167c33916315a8571362a9

SHA512
5ec2d5f5ff81f4addc1c16d5d38b8b4a912bea3897a148e946e488dab0a9280939f5dc2a9d585ba5b4f158768f2befbc3e663121a31fab9fe1aba8a27429dd47

Download Submit
C:\Users\Admin\AppData\Local\TempBLHUT.txt

Filesize
163B

MD5
319dcf9bbaf5d91c15609c34664609b6

SHA1
b8265652fb888fc7bb75022436d40db1fbc225d6

SHA256
228bb12a01da6d46d05f9e57071b95e4cf6dd5ba194a934377f34edca9d48abb

SHA512
b415687c96efe1180bc5cf6eb361dfd19d2aed62af6e92567edc9f53c4875ea19226127b66c4b5f1bd0e7de0993ab68ad4b7eb6e4b99542d5521e91918fc35eb

Download Submit
C:\Users\Admin\AppData\Local\TempBPYPJ.txt

Filesize
163B

MD5
b9c4158c35c4e865411411e05fea53de

SHA1
9b7499b1df0cc7c4018d0fcd1957cfa96a22c52c

SHA256
5fe63d914097e45f5faabe943e48cf3fd9774380d4618d360fc954a325755f09

SHA512
d451411a3703ed2019f036784bc8c0112d5aa32ad6b27127ccb2d0b8ec468a2509032701a3d28730d0285cd78c8897bd69588a06bbd32114175dbd7e327f23a9

Download Submit
C:\Users\Admin\AppData\Local\TempDMYVU.txt

Filesize
163B

MD5
d6105e590433e7f7508c00af130d7a3c

SHA1
292fa812404401873a943ac2fd15f60aa4b82ebb

SHA256
2e65e2d276f12ff4c0ac0e38ffa1015f54d564ce46d2c9d6e4503eede7d40a6f

SHA512
3f45fba364688e7cfa5cf9b7774cb6792916bfc69bb6f3216a6c5c9169d41507572767ceb4ef19935787ea4ed3a3226ef4973672eead580e6ac296cd66fc7298

Download Submit
C:\Users\Admin\AppData\Local\TempEPVMK.txt

Filesize
163B

MD5
8880d76cb517842c5aaa86263c8879ba

SHA1
bbac5134e67f6fe48b3c3cd6a651b3a199241dfe

SHA256
85fd0dff1a904d19612d2caf21d1927145648fe845aa344221dd63dee5377d2a

SHA512
b4bca065bfdca602b49e71aef443831546b9320c0d3cc5a73a97ebb99d186b857f3371acdd6906d09127893c52fd7785d0f4f9110a99dd7e406572c8c46b3a3c

Download Submit
C:\Users\Admin\AppData\Local\TempFYYNW.txt

Filesize
163B

MD5
ac1db7a4cc4945c99d68efb56a574eb3

SHA1
0cfe5291cec24b1284fee1ebfb6f89ea244969a2

SHA256
441959f01c32816fd181058eacff5fa5b68e40aafb25d71bc8c0c2767a2f5230

SHA512
e989dfe923bf136708519503f30c08b731762efb4e0041262e8e9a6d731dcc792cc4c558e2555837bc982dd1b1ec53f3b23348d33d38de56774f8d09cdba1141

Download Submit
C:\Users\Admin\AppData\Local\TempGUCQP.txt

Filesize
163B

MD5
c69ad7cd7a6fc1d96090e871b4ffbae2

SHA1
2d56bd28cc64dd5fc649827c8186b218181bd8fe

SHA256
5c201e013a54c1c2269697ef96d2fd28df7a962de0cac4ee3437f369e3f925f8

SHA512
42a294605d65e20dabbff07e25e6ae12ecda91e170c706ccda89b171508542ad620372cdcbc9f012f75c72357ca43660b400b40d6021df0774b03d556b08cd41

Download Submit
C:\Users\Admin\AppData\Local\TempHIRMV.txt

Filesize
163B

MD5
8537ec64ab9c824ea1b462610fbd206a

SHA1
ad65ebd0e4cefe33fe48c62e9b89479a0c298f52

SHA256
66605e0d67a3c79ef3eaa349748ee9941aef99836743aa0967ac48a5cc3d76fc

SHA512
a57dcf092df0d45ab464156efede8641d338c56e5179169086585d03bdc1d01fc7610d849203947958e913feff07a58e22491a20114415604d26e245910b81dd

Download Submit
C:\Users\Admin\AppData\Local\TempHPBIN.txt

Filesize
163B

MD5
e1f030b7dfab23bd475cecebec6df92a

SHA1
8ce50ac8b64267ee145190201ee1f867c4cffa89

SHA256
56c1dd1510389575a765cd263d6cfa0c40c589433acacdac1b8bde912782d9e8

SHA512
705d81c3040dcbdea95a182932feb66c7a83a1944c09dbc124193d7a4fa6da7a447e0e760e9e68c60fb9c84b0b91190df2beeb497b217a279b6d7d5b58157667

Download Submit
C:\Users\Admin\AppData\Local\TempIQICL.txt

Filesize
163B

MD5
4bbe04aec9e5f0a4baca7e8527955a68

SHA1
7c3f65b106911b5b5a91219edf07981d37daa16e

SHA256
16daab60f2bae314d92fb0e94e15bc392a1f64afb3ba1ee38b616399c1df3f5c

SHA512
45beacedefa4841523370d67a42721251394b68ca262e446582425662ab4743e497399b044642f064a3b36dba2d76ab95b17703616cede12aaa4fa0a55cb5887

Download Submit
C:\Users\Admin\AppData\Local\TempJACDR.txt

Filesize
163B

MD5
49bbf6c8688591d689bd71bf51c1e28c

SHA1
d6a6cfb52ac5375af87b7b1e44c2eae713ce23eb

SHA256
1ebfac99ed6747ce86a48ed9ffb7c793522755c7e0a0f8f470efeec173164203

SHA512
dbeb4151828f843ff90476cda49adc77fc5be03bed169b38d638e75ba1d8be6ede1945df5759cfff5c6abf0d545624881baad33650355c256f6f4b56884cf046

Download Submit
C:\Users\Admin\AppData\Local\TempJHTQP.txt

Filesize
163B

MD5
f4ed17fc56b5d48d25ca8625a37f2329

SHA1
cb67c6490a394f2dbf4b760ddaa85149d52fe850

SHA256
e0a18dcc2fb3456998ed127889a4f5b332f3dfbe8bec3eaba11b9f2e9ca8fbbf

SHA512
8200ef3de772699a86b3a9bdfc20db33e27049435aa21e58952f869d4404a76a4cd52142279e99b00f7cb7ad0fc8bf537011b1a12c97686806104ff882ed161e

Download Submit
C:\Users\Admin\AppData\Local\TempKSOXO.txt

Filesize
163B

MD5
9c2828f47f6464ca4c85b44140097a0f

SHA1
6e153964c005d4e52425878ef9a2f1a9d72243c1

SHA256
5bb32f3a4dc0689211b0be3ddc5639ef127be2ae35b34adb1f22a0c780bd5c2a

SHA512
969691b2adc71597506f550368a5e155bb3631afe1eb4b39bfe86f3443130f1c464fe7da0b9fd82418bacfdaa99bed1b4e8d96d0cff66615d69b7da18325c556

Download Submit
C:\Users\Admin\AppData\Local\TempLBOWF.txt

Filesize
163B

MD5
fffa201049963963d615defe7f276361

SHA1
2d915c110670b89b0137e147d7b7f6fb68cd3b33

SHA256
b1157e37d77efe428871fbc834d4e1fb25f1676b748785707e6326b69f8a337b

SHA512
94f7cc20967b55da0cc8f9238c1c6644d5cfa0d5e8807d08696dd457a680c0e25cf37733f11a842d42a760d1b3dc102b71d567b293965b631883525b0ebcf288

Download Submit
C:\Users\Admin\AppData\Local\TempMUGNR.txt

Filesize
163B

MD5
e65890858f7fb8dad52e80356b191005

SHA1
2c6e3801a0cc15203581fe5fef35fbe2883edc74

SHA256
54f999d041ba8ca3afddfbe7d58063ea4c3b83fd7463b3216b5e7b0aaa20336d

SHA512
0e8e3164328b88513002fd82fb81dfea8e91e3e08e1f80fbbd47e395409ac56c6ee2847bbdead49d0cceaa33231c415ee570a30ccf90b047e1b44212296f35fd

Download Submit
C:\Users\Admin\AppData\Local\TempMUHNS.txt

Filesize
163B

MD5
d4aa8b386bb83f4d6d01503c671da973

SHA1
5b2e569c24444e758ab1a61c5fb7ab566c1e4f93

SHA256
3439a5c3bb5b7b90e697877fbcb9aff63ec15c7f5436fdeead0388855daf4a04

SHA512
74ad241c98f8899dd7d91cd07435e0b0eb1e3599d0222d728a3517e4d0449a6c9063204622b2e369976ba7accdc9c42b14d5259277e39eb5fa2ab1519390e6bb

Download Submit
C:\Users\Admin\AppData\Local\TempNCQXG.txt

Filesize
163B

MD5
eee8e896fa83f1401ada436697156a59

SHA1
e5061d6d8b2a7791298c506f781543c2d173ab31

SHA256
ce92e0326ec7a54541a45bcb607ac66a28098d31cf59a014195da1c4de771a9a

SHA512
c184a1b0529b37e34165441b556a8f9579dce8475dfbf604f78965c96d21ea850616e26698cfb1c6c95c792271ef4a1583b29e763bc5ab9925da1367a86897a0

Download Submit
C:\Users\Admin\AppData\Local\TempNOXTA.txt

Filesize
163B

MD5
ebcb8bedc136fcaef9c1a6638470cbc2

SHA1
5f52106e450ae89e0dff4fb6113eb262ea55d405

SHA256
4f12249e54395b2236ea9e8640867756aa0fb546db2bd688da06beef03ce8696

SHA512
eb14cf6e638e3dcb9ebdfa389f960fb4c38aee0fddfe06b0f9cc52b48a828cc4726492f4d551e033b99b2587d44566490802becdba838a0e8dbc00fdfa7889fd

Download Submit
C:\Users\Admin\AppData\Local\TempOBXWA.txt

Filesize
163B

MD5
03f6c15f5d7355073ad45e84df2f68f2

SHA1
26aef9fc52a6b61d029c8b862086f38f88169291

SHA256
0a29af70e13d370e8ff9b57f6350b8c79b4bafdadb169db5f377c046d5741978

SHA512
efb529c2f07649c9022b16a634416fbd3bc8eedb3ad30bd9e0767e1248875842eaacccbc6400daff5df27d4df6dcc8f147427f638e50316820fb912c2fdc3e1b

Download Submit
C:\Users\Admin\AppData\Local\TempPYATT.txt

Filesize
163B

MD5
294780c61cfebef6b14816598e128856

SHA1
e5d847a0951984f5fa6b43a6a8d692b875ca977e

SHA256
54be3aec94a6fb49757c4fe42ea960d85496fc6e8c5072e8a9bd0182945474e6

SHA512
99f93b00f762fdf42aa46a60fd5c23852cd5157387c08fa2cc7a9b3d94e21a04b65c2bb703767b88071a1dc95717f5835805742afc1666f9854b6e26a193c7e2

Download Submit
C:\Users\Admin\AppData\Local\TempPYPEN.txt

Filesize
163B

MD5
e6348f4c811ee47c64701c4854ced368

SHA1
68ffe06a37d8f3204a521ec7b3357fb1b5cbb15d

SHA256
37575df12f3a31ef0ef92193c5f6e95d5693c23605f8d469c1990f11be89c6b3

SHA512
7a94944804c638197d435f2dbb392b8f9fec1edc40352ab6ea1a04a55cb8f1570dc13b31014d3ccb5ddd18a9de9ea626d9d6a4857a4414f417a3c4e462ff400e

Download Submit
C:\Users\Admin\AppData\Local\TempQUPWL.txt

Filesize
163B

MD5
96ee9589f991bd9c3dcd56ca158d2b77

SHA1
d2f5d1b16cd3d9e20d97d95d27e2228461452ede

SHA256
73ac7be5d82c6725cb5c08a99f4af57ee5e888a45d4db04ebdc6a60137923571

SHA512
d37955950a9eaf0eef608960dec84def0baea494489226d19651c63d09e6c869007a9d44297c63de5fff6f5ecf02f14447b1f2a811a8b534ad0c5cfa6812f543

Download Submit
C:\Users\Admin\AppData\Local\TempRRCWV.txt

Filesize
163B

MD5
4e1bd99e24df2894bc8d6ca5770c579d

SHA1
5600d1a3f6c3e7edaf7cb21e2140548cff9f83ff

SHA256
690c45e0963cb87f5a01c5c56b9496fca439f1f82c53d6654610568c599f89f5

SHA512
5c7484f19badf65018fcad73d0ef6a292b959eb9e8bf810748b355595a96085a59910718377b07513c7ac4d688582bee7058b382934d10caf591c83bd820a5de

Download Submit
C:\Users\Admin\AppData\Local\TempTBPOA.txt

Filesize
163B

MD5
be9d453ada3c582e4d01ce1ead5a5879

SHA1
7e6fb6db3c5d6be41af45c4173c2ce718e73af41

SHA256
fd05eda0830094aaa92ec846c11e90f0d0c252630972cc432f25e7678cb7b956

SHA512
c33cb4db11d2abe8e46e9016e2e367df3ac58ceca95fd74177f7a6a2a32b790fcc5448c2c6f168b2633ac66e42060a77566e99ca91a606d8282806c2a27c8e25

Download Submit
C:\Users\Admin\AppData\Local\TempTBPOA.txt

Filesize
163B

MD5
680e2e9cc13cbe1b58ee8b3fd71964c6

SHA1
0ffe1b8f9425517ea5ef01e2d12bbae60b37ce43

SHA256
bb4aa12fcf304f4ea13c9a7e9a5d9ca7943075065d4cb8166f5b8b513cb9e50a

SHA512
868c3e3b264d0c6888f01a7ca811f84391fe9ad67c4393b15d87769b9f216830dd6c1c24c8bef9413d10918e5e880c53660f26504644d7affbb2e7fcdc7ae492

Download Submit
C:\Users\Admin\AppData\Local\TempTFLQC.txt

Filesize
163B

MD5
f4ecb1100a1a3004491f21629be3ef86

SHA1
cf268cd395372e58bc0b877cfe5484cf1cb459ed

SHA256
5b42cc6707b41204cb786f0e2e459fdc3b8adca488f7a244cc2b26788e19d4b2

SHA512
75dcbd7bf21b9352216f58d2fe3d406bae48158ad0a360035179c823a8d15f9f7ce0a5be2b9dc6fcaddb5c443fc952d5eb9eec730b681fca65a0e7e2cd9d02e8

Download Submit
C:\Users\Admin\AppData\Local\TempTFMQC.txt

Filesize
163B

MD5
3488c42776cae9cf6a043bd69b5b3a01

SHA1
28e32f5297c43ec9425abede002111219a889773

SHA256
0e42af7b06259cedbb36f5f5cd93304a118dbf23d0669c8ff377af17c0b672d8

SHA512
ac3a4249f324b5c65b00209cadc5df204088db2be8b983deebd1066641d13ab81c59ec2b5ddcb90bef97a4ff1f03868f64eb73fac1d7e9852dd8f5773b8c64fb

Download Submit
C:\Users\Admin\AppData\Local\TempTYFGD.txt

Filesize
163B

MD5
78be5efd6f00a17dd035880f8b17f7b5

SHA1
557d916dfc0a62bcc340f3f54f15edeb8ce2a14a

SHA256
68d647e33e63f912b96928a9146aa07146c51e812e573e0015797f67040aef5b

SHA512
09eb040eab976a5bd9f1226cb583c31b5270107ef35db5ab50cff97659a79206646f015828eaee73119dfdb1a323cb3df256683b0f7c076e66616a16498880be

Download Submit
C:\Users\Admin\AppData\Local\TempUGMRD.txt

Filesize
163B

MD5
38097e1b24f57471d24680739b536973

SHA1
622ea50ee17aaeb4bbcbfe0c10fb7f98271f536f

SHA256
266ef99301ba6db3b9454e9ea1af017104a1c29bf47860034da22bf82ae516a2

SHA512
a19a94c7654377f18fdaebd1abc35e9f280cd2b042fa87f59203f462db6c6b50795aaacd27c98c6084a3d5968e6f98a01e5581aa4edfb595453027b555adc727

Download Submit
C:\Users\Admin\AppData\Local\TempVHFJE.txt

Filesize
163B

MD5
6261b3927493f81b9cf5a4227679e5fd

SHA1
f08f673a776dd52bd64d1ff11b72fc6235293509

SHA256
f9f770d828bd8fbeda26c96b2c49b26036d19f920c0e0573c06d927da57f5d3c

SHA512
5b19fc117de6ea9cc6695c4be8e0d87c8e9689f8307a7367bf4f52f8dc591c371913784379314994fc2faf49640c30fe7a30de31563126941ce0a297f9d72686

Download Submit
C:\Users\Admin\AppData\Local\TempVRPTO.txt

Filesize
163B

MD5
6b60a4cb5d39a98fa32ad5b3fa8b0eaf

SHA1
ef25a9cf5bad4d5f168bf9f801d584f2b6e509ca

SHA256
34488ccaedebd99885b2221e379b7aedf6006e3e71a6b97ae4dfd8325868902e

SHA512
23450b5ab45a21e9debb146bf9e998688204db4a6d0750e9a038c020e019b2729f46912bb9048e96df8ad73990d3aa98a2cb67af97fa15c394366cfd48bd9e2f

Download Submit
C:\Users\Admin\AppData\Local\TempVWTCO.txt

Filesize
163B

MD5
72cd1d49c581affb3a894b55e245a6cc

SHA1
5bb1f5e9aa0c3098fe36f8e0093179f2e038633d

SHA256
a612a89a5314621fb6251b7dfc5b53274aa8db77d9b988f27152988a35b3406e

SHA512
ab9b44648a345cf535d95bdf6c53f9867a8ea07ac88336e5558ab8b78ce46b101ce5c49f7afd4da7ab818a2d8790343635a0574b181f384facd370bf5bb46822

Download Submit
C:\Users\Admin\AppData\Local\TempYTPPQ.txt

Filesize
163B

MD5
16c9a281c61e4a6114b6bd4e66c0ccd8

SHA1
9de9df6e12fd7adea9efde5aa3c7aa1b0609d299

SHA256
2f071aa77b3f181d891b57c291c81d186457ca50dd9890cfb84f87d9a82b2b13

SHA512
886a1de4294f3a9fd23e01ead137ae1b88f15bfe043b6cbd8b43a30065aebc36e06e9e3d3d4a342c19681373f9eaaf29d59b6613374b7344a7337625a6a9ae4c

Download Submit
C:\Users\Admin\AppData\Local\TempYVBTX.txt

Filesize
163B

MD5
8d838174ee8ed3220ee3100477da63b9

SHA1
2cc94e920b38437218cc484daf44a3a0cb3a00db

SHA256
e66207d4093fd122c4413c37f7591fcb16b877ac283757947547a7f0a1a0a398

SHA512
e6374bec6072403fe490e4770fdd106182fd3941a2689e63c7d7e2cda67125303d7b133235b8990e458b63c55deb6726bacbea8948714592183321bfc8b0eb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe

Filesize
520KB

MD5
9a8f3dd601a258ce3dc0912f7fcba991

SHA1
371a904c065e2fa3cb1536f2c92acbde5d56dea8

SHA256
34749ed83961a6e5771489bd3cf2587dcc6f7d0544f2a9b4caa6fb9d87f345bc

SHA512
aeba44674e2af23d60d4c38c575dee60d7a2538bd59cffc1eaa630de42c057ed0eb2ec8b40483870d04cb2d88715799ea0d9cfcf66bfd67b4f83a26e05fed8bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe

Filesize
520KB

MD5
a67b98e114d74737dc77ecaa7996beb0

SHA1
e1554722a7dcce8022fe38ead5c82fb7c79af836

SHA256
426eb8ad6dae94f15f8bc1031b02d1192444b4234463f4343eabb357d18b99a5

SHA512
8ade62bd3cc2f8494f60b1592fa7760838a3c8b2941af8d5eb685bff67552e201f643af4dd3c493b9903f16214266598382fe947b41fc9d6b9ec9205745d665d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ENWEBPTYFGDMEJX\service.exe

Filesize
520KB

MD5
ed45d9af45403581499e7fa43d7f6154

SHA1
d7c9b8322e9c9afb219819fc93fb2a1bd6c4ab88

SHA256
a4c778e26a91d06fc12a8f317f0ceecb399621cc22afc3141e6337088096cf89

SHA512
0c8877b69b8a51c7e82cf240ff2ce1844d63b3644c231330430ee33093a3036aa5d01c81950f3e344ecbb8b12533eaffffc29ea8bf49e73480e5e97383abe202

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIVVDR\service.exe

Filesize
520KB

MD5
349b42e6fff732f752dd4df5e6579e22

SHA1
487ac33b7c4f7cc9dc896d5d186cb697597a00a1

SHA256
6eca1b5c0e6b4b2dc6f4899852b69297af1a0fb2c11089fc7a06ef41bd7612ad

SHA512
52cb9db6add2764892235a36d0d19e6dc0437ab3fc23dc74996b7767e039b456cdf31cb30ead7dafb36117b05be4b1e76b347fa7115932be117036d7a3428c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe

Filesize
520KB

MD5
d78c9014dd0ff0e719a4fd03c615741f

SHA1
80852a9eab94b9ae47397890b70e0d7082c9ca11

SHA256
8f32bffafff4b57ca3c38a2542b713a1b4b538b3ccfefe3f891b69a3c2c2799f

SHA512
d760ceb344a28f3731d2abd66c0fe503240f8809c34d68b1792b793a756995cd5055562f0b6657e3bd2541e4ab7d9ca88730e86c977e63dcbb66bc9d82fa6650

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe

Filesize
520KB

MD5
f252d15a7cff1e78423fd0547603bcb6

SHA1
0b9cb28799c4cc8560fe9931e9716e9b963b8d11

SHA256
82e930b1d58c51aa50d138f4abeb2a27fd2e1ac5295af43ca8dc46a64d2a9b7b

SHA512
583174b7a0980cbde876bd8c0e6a933bc805e13ff3af19ee4866898c56efaffea009b826865f454fa4ad65a01023a6bc4488e9475616d07b7b5f0984646fe772

Download Submit
C:\Users\Admin\AppData\Local\Temp\GJVUVRPWRHVCLCW\service.exe

Filesize
520KB

MD5
2bbb289c0d5682199f2158b6aaeb388f

SHA1
6732244ba2abb1daddb4ed328fd0d2e489e2883d

SHA256
e3ab4d4e5fa3c5ef23277cc4522b8aabe053d869f0c3316b54988d6c38147906

SHA512
c721418e3f0a44e428963bd186c1b3aa8b577e52d7429a1401a686b7cd3dd2eceac2c456ac2e7cad153081681d369dd3ead9b692480f54ba185509f792957006

Download Submit
C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe

Filesize
520KB

MD5
6eb33648b87b2ab30ac48c3c7f1459de

SHA1
6b3e50b1aae517a13fd467fc01c787845d9bc7d3

SHA256
b081b2d269be0f88eff711302539fdefb6414604e0a2b31cb599b8a2eb9f7044

SHA512
8cf173149fce846738001e187d729d2fe22365a3a7568cccd0298c7deb87b3ec40aa4bb41e16a9138d30e7a44f983940ed8dd67dd82f8423d0f1c3c7c61b529c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe

Filesize
520KB

MD5
7ea0b1836a29008a38db1bfc6a26c2bc

SHA1
28d90af90c5b9647e097e75955fa0595f589d230

SHA256
8d15f624e7d159e2d6369ff636dfde656d27fb9ba0f62cde949dc926f9ddc862

SHA512
b740361518508af04c817920bfa49cf5ecd60216ecc14ae2c7022cb40fb616da6cdf3738022ed549ddc49a53d6d48940df4bebc8218352c8f25c70298deaf640

Download Submit
C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe

Filesize
520KB

MD5
069767c8a3e6d34d67d6a577153d3c0e

SHA1
261561bc2068eb4f9715a49832df1fced709a864

SHA256
29e51551b3b97895faef100137c0df39300e5d5dcd8ff9eb6ef24ab682f5c264

SHA512
fc0cd8ff30d30c3ec98f4dd68433424fd2fc15d3586f4b8a1f5ce49a444a3ebcc07704d9313e8e391630e28e9ea25545bc43a7a789438f0fdf8c144c3e4cf797

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe

Filesize
520KB

MD5
e42dbd0bfba6657b2c0f3b43bc545900

SHA1
b243ba81755d59f52be4411b135383caf3507999

SHA256
097ba6dc21381a1863b9f65b858998c00c8253a12738929f34e289103580ccf2

SHA512
d0744e0078fc024da471a48f3291b764b699ed725aafceaa0186d8b103e97e206a3f69aef88f206986653756508db932d2aa3d399610b6bbb97b6ed744dba988

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.txt

Filesize
520KB

MD5
0275c601731828667f43ecf5ea95c235

SHA1
ea76268e2a0634b7b0c7a84fc39446b365c19d7f

SHA256
d46cddf42765416d4b1c51a77b400eb55e52172dde776ab8959871ebaf00db0d

SHA512
b0acc42c8674f6b044f24721f8814bbc69879743bc9e547bd9fba6887f35207d38be8848a69677de69b3dc910353a71d4f787aa0f4898947fb67e0ba92e2f78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe

Filesize
520KB

MD5
470bdf73836a1ab9009b18d450f6e363

SHA1
13dde5046c5417fbb81d2b3dba26a508f74a972a

SHA256
2b0d7147060e5349899ae0674d660be9f33d803904e661a76fd3dba004f53dc5

SHA512
a88d7f13061ccf104273ecd4334e737d67a89e065c4e986c2e76f17bbbcf43032d5423bc6c20ca554c01933f9ad75855210ce982712c6cfa495642c54c9dd215

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe

Filesize
520KB

MD5
7dddf776ec8782876d83ec043eefca60

SHA1
733ae20b1edf39b9b24d697c9f19bb5cae6c741d

SHA256
64875ca030845a20fd4379345b2124f703cadd281cf37551066fb22f76402219

SHA512
64c19377069adb65c979a30931ade1580cac713bc923f9a05de6d90cdc51b1aa8e693c205d06263aa7960bb4795d9c31428a2c7000568a729d5014f7308985e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQHGR\service.exe

Filesize
520KB

MD5
cc417ec54a8b306805406e1020732a72

SHA1
add36ffa45bc38875d42897c39f270a4639e8cfa

SHA256
5598bc56b680627d52aa89df2d4a7f0261d282d83992e847a6e5622ed6c3c510

SHA512
8d5a80f46a295e2ededa537649daebf0f2252a79d5d8b854b60fbcb88cde93e10a99518533063395f7b54543a49b13f50bafb57cd8244956294869d5eb5d852e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXRFMH\service.exe

Filesize
520KB

MD5
5d77ce575b8b6dd7dd4a7230042dc8d6

SHA1
0dbd17f4940663abe7a6233fa00cb80c3eab22ed

SHA256
b927cb5d464cf061cacf5df6134419a21289c3bbcc1b4068290a94adf70b46fb

SHA512
05ee7262cd603b0a67761ae26fc7d9cd5da5475cb1d9ba4e0b2235bddb718f5039652391cee1e70c0b722e16d8acc9b6a3c2e54c6809af39eaeda07a95c79a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe

Filesize
520KB

MD5
741f96a8b8ddf57f671fde0a2609a5e4

SHA1
41e8c4e7c9eed151616baf9f8d7fc988a17f694a

SHA256
229b0fea55efb5fbc99babd653255c533096efaf76e5a59e118450ccbf50b403

SHA512
f5a9cd6e28834043b7db422276149d67e764b5ac1629633f3432347ce7d334c2df7a96b51cd12239f9f136abd4dc95d149017831db7632ccb1b17cd54689f076

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVEQ\service.exe

Filesize
520KB

MD5
888a45ce98ad6b60893c08aebc449142

SHA1
90ac230b991ae370466941f07a6c1eb2d43bc100

SHA256
496885e34a05ca7a8f204e39bd679f91a310f79dc50982c9d0138159c1be0c2b

SHA512
c2d07e7118e75e109d736e776fdd6de28de6f4fe6b99965f22a9b40f0de56858e741f435f3ae39bf41cbe3abb7730daa666ba0af97ba873ac6bbc060c80012bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe

Filesize
520KB

MD5
0c5a787475eb753f508634b9328a5d3d

SHA1
c26585d241b040312fb931a440ff9f4ae21b5f9a

SHA256
df067e507fe8bf6807026c780f7ad9337eaf7876ebc51fd43eac11e652662042

SHA512
6fd6f5328088b702bc9f367ac551a703d6f3476c43bb74c0e0ab1cefd1bdc74aa646ba2216a0b05f551d9986a4b3cec53e039985cf94962910a57dd0212b8c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe

Filesize
520KB

MD5
9c705f0f313dacd23ff81dd239a9eb3e

SHA1
8b0d38c51e228494eb9ec09d3774206a974fb618

SHA256
62ffc576ffec10d035693eebf9c5b3aa2f6ee836b6b5528e86ea2e65584b52b0

SHA512
7b8b166c1d0e959aa760c95d777434f5b05f71d4afaa23518ad046c5b23fc752412dd0e1191862e55c64c4070ad029a53850b3ad8e09ec158aa6e5b121594c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe

Filesize
520KB

MD5
b9388d51ab5f29f36a4feb99bccf75a7

SHA1
33011d387f0db78e2b50efe8c687e81ef1a69817

SHA256
d39e3073f3e7c1e5754954816a206330c4cecbb40e419fe918d52a6aeaf3f2e4

SHA512
b38bf7da0a5d1bcd977476b47448c0a794cd0b5790aaa7feff5cde06ae5941eb875f4ab72fd7813be6737affd9a3bb2ec2c731bf4ca52a88f718a3844c8d84b5

Download Submit
memory/1800-882-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1800-883-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1800-888-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1800-889-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1800-891-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1800-892-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1800-893-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads