blackshades | 1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe
Size

520KB
MD5

bc904f7bb3afa91980a68cfc7081c1fa
SHA1

3602fd0487ad6515fd1743e4fbbe5c90e1bdb5ef
SHA256

1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553
SHA512

7d266bdd835253c99a879fd344b89fb6216ead3b5a910d47b24bbd7975d44776d1a17eabbddffdc6ea0f71f0b7172f3108c176e3184d63986663288f878b5089
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioX8:zW6ncoyqOp6IsTl/mX8

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 9 IoCs

resource	yara_rule
behavioral1/memory/1848-1028-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1848-1033-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1848-1034-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1848-1036-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1848-1037-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1848-1038-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1848-1039-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1848-1041-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1848-1042-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBWXLQVCDAIB\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Executes dropped EXE 41 IoCs

pid	Process
3040	service.exe
2612	service.exe
2572	service.exe
1972	service.exe
2212	service.exe
1328	service.exe
1448	service.exe
2400	service.exe
1520	service.exe
2932	service.exe
2704	service.exe
2760	service.exe
2132	service.exe
1892	service.exe
828	service.exe
2552	service.exe
1592	service.exe
2424	service.exe
2520	service.exe
2752	service.exe
2120	service.exe
2672	service.exe
2144	service.exe
1688	service.exe
2452	service.exe
1564	service.exe
2408	service.exe
2700	service.exe
2208	service.exe
2364	service.exe
1208	service.exe
1616	service.exe
1580	service.exe
2212	service.exe
2172	service.exe
1808	service.exe
2216	service.exe
1648	service.exe
1708	service.exe
2684	service.exe
1848	service.exe

Loads dropped DLL 64 IoCs

pid	Process
1956	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe
1956	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe
3040	service.exe
3040	service.exe
2612	service.exe
2612	service.exe
2572	service.exe
2572	service.exe
1972	service.exe
1972	service.exe
2212	service.exe
2212	service.exe
1328	service.exe
1328	service.exe
1448	service.exe
1448	service.exe
2400	service.exe
2400	service.exe
1520	service.exe
1520	service.exe
2932	service.exe
2932	service.exe
2704	service.exe
2704	service.exe
2760	service.exe
2760	service.exe
2132	service.exe
2132	service.exe
1892	service.exe
1892	service.exe
828	service.exe
828	service.exe
2552	service.exe
2552	service.exe
1592	service.exe
1592	service.exe
2424	service.exe
2424	service.exe
2520	service.exe
2520	service.exe
2752	service.exe
2752	service.exe
2120	service.exe
2120	service.exe
2672	service.exe
2672	service.exe
2144	service.exe
2144	service.exe
1688	service.exe
1688	service.exe
2452	service.exe
2452	service.exe
1564	service.exe
1564	service.exe
2408	service.exe
2408	service.exe
2700	service.exe
2700	service.exe
2208	service.exe
2208	service.exe
2364	service.exe
2364	service.exe
1208	service.exe
1208	service.exe

Adds Run key to start application 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HRNIYRDSCSTQYKR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTJTNLOEJXWIQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\XKMHFHXLSBNRCOW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAOTYFGDLEIX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\BEPRMKNCQXGSWHT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMVEAYOSYEFCLDI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\FUUHJECEUIPKOLX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBWXLQVCDAIB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ECGBIUVQPRHUCLC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENEWOKFYOPMVHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRWDEBJCGVVIKFD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YFXIUTUPOUQGTBK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MKOJRFHXGGPLTKI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HAQHRNICCRSPYKQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\COSPDPAXDVUQSEK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMLNIGNJYMT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\NSOCOAXCUYUQREJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLLMHFMIYLSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\VQOQGUCKBWLXIHL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQHESWIJGPBHMCO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\TCCOULIMHPEFXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUARLGBGVW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MIJURPTOWKLDLLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRFFGBGCXSFMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAJXTRBWICWYCT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERWOWKVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\EFABWRELGLYHTQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVUWIMRFCQYQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\VTSWJNJHXVLLNIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICAHRHMEVMALB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\AONHQXIEPIJSWXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMRYKAKEYCFVRS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWIGKFNBYCVTBCV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JBRAISOJDDSTQAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYQMHXQCRBQRPXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KFUSISMKNDIWVHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPCYJEJYWFRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQTSUGKPDAOXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\POSGJFDTSIIKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPFXVEYNDJARIHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\FBBWREMGLITQOSN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUPSWUXINSFCRQE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\BWAXLXIHLCMSLBB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASDPOPKJPLBOWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\NAIRYJFAQJKTWYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CUNSLBLFDFWSTBO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\YUIVGFJWXAKQXXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WDVGSRSOMTOERIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\WXUDDPVLJNIQEGY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBRMAHCG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\TSEMEVNJEUOPYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPGQJIKWAXF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ONHRYIFPJKTWXJK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKBLEYDFVSSA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\TCCOUKIMHPDFXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUAQLGBFVW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEYAVPDKFKXGSYP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUTVHLQDBPXP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCNKJNBEAOUNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVAXSQXTIWEMD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDYCQGUPNSFSUPI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJBHOXAANTLTHR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYXBOESOMRDQTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYNHAGNWMRJRFQG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HMJJURPTOWKLELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKKRGFGCAHCXSFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\SJTPKTEUETURAMS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\BKBTKHCSLMVYLMJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJOVHHBVCSOPLK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOJHKNUEPUERCAF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYGDRVHIFOAGLB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\EDOMKOCFBQVOEEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYMKJNAEAOUMDCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIVDMDX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\DXCPFTPMRERTOHL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WYOIBGNXNSKSGQH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUSXKAOKHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RTJDBIRINFWNBLC\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2200	reg.exe
316	reg.exe
1296	reg.exe
2348	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1848	service.exe
Token: SeCreateTokenPrivilege	1848	service.exe
Token: SeAssignPrimaryTokenPrivilege	1848	service.exe
Token: SeLockMemoryPrivilege	1848	service.exe
Token: SeIncreaseQuotaPrivilege	1848	service.exe
Token: SeMachineAccountPrivilege	1848	service.exe
Token: SeTcbPrivilege	1848	service.exe
Token: SeSecurityPrivilege	1848	service.exe
Token: SeTakeOwnershipPrivilege	1848	service.exe
Token: SeLoadDriverPrivilege	1848	service.exe
Token: SeSystemProfilePrivilege	1848	service.exe
Token: SeSystemtimePrivilege	1848	service.exe
Token: SeProfSingleProcessPrivilege	1848	service.exe
Token: SeIncBasePriorityPrivilege	1848	service.exe
Token: SeCreatePagefilePrivilege	1848	service.exe
Token: SeCreatePermanentPrivilege	1848	service.exe
Token: SeBackupPrivilege	1848	service.exe
Token: SeRestorePrivilege	1848	service.exe
Token: SeShutdownPrivilege	1848	service.exe
Token: SeDebugPrivilege	1848	service.exe
Token: SeAuditPrivilege	1848	service.exe
Token: SeSystemEnvironmentPrivilege	1848	service.exe
Token: SeChangeNotifyPrivilege	1848	service.exe
Token: SeRemoteShutdownPrivilege	1848	service.exe
Token: SeUndockPrivilege	1848	service.exe
Token: SeSyncAgentPrivilege	1848	service.exe
Token: SeEnableDelegationPrivilege	1848	service.exe
Token: SeManageVolumePrivilege	1848	service.exe
Token: SeImpersonatePrivilege	1848	service.exe
Token: SeCreateGlobalPrivilege	1848	service.exe
Token: 31	1848	service.exe
Token: 32	1848	service.exe
Token: 33	1848	service.exe
Token: 34	1848	service.exe
Token: 35	1848	service.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
1956	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe
3040	service.exe
2612	service.exe
2572	service.exe
1972	service.exe
2212	service.exe
1328	service.exe
1448	service.exe
2400	service.exe
1520	service.exe
2932	service.exe
2704	service.exe
2760	service.exe
2132	service.exe
1892	service.exe
828	service.exe
2552	service.exe
1592	service.exe
2424	service.exe
2520	service.exe
2752	service.exe
2120	service.exe
2672	service.exe
2144	service.exe
1688	service.exe
2452	service.exe
1564	service.exe
2408	service.exe
2700	service.exe
2208	service.exe
2364	service.exe
1208	service.exe
1616	service.exe
1580	service.exe
2212	service.exe
2172	service.exe
1808	service.exe
2216	service.exe
1648	service.exe
1708	service.exe
2684	service.exe
1848	service.exe
1848	service.exe
1848	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2496	1956	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe	30
PID 1956 wrote to memory of 2496	1956	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe	30
PID 1956 wrote to memory of 2496	1956	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe	30
PID 1956 wrote to memory of 2496	1956	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe	30
PID 2496 wrote to memory of 2392	2496	cmd.exe	32
PID 2496 wrote to memory of 2392	2496	cmd.exe	32
PID 2496 wrote to memory of 2392	2496	cmd.exe	32
PID 2496 wrote to memory of 2392	2496	cmd.exe	32
PID 1956 wrote to memory of 3040	1956	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe	33
PID 1956 wrote to memory of 3040	1956	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe	33
PID 1956 wrote to memory of 3040	1956	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe	33
PID 1956 wrote to memory of 3040	1956	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe	33
PID 3040 wrote to memory of 2856	3040	service.exe	34
PID 3040 wrote to memory of 2856	3040	service.exe	34
PID 3040 wrote to memory of 2856	3040	service.exe	34
PID 3040 wrote to memory of 2856	3040	service.exe	34
PID 2856 wrote to memory of 3056	2856	cmd.exe	36
PID 2856 wrote to memory of 3056	2856	cmd.exe	36
PID 2856 wrote to memory of 3056	2856	cmd.exe	36
PID 2856 wrote to memory of 3056	2856	cmd.exe	36
PID 3040 wrote to memory of 2612	3040	service.exe	37
PID 3040 wrote to memory of 2612	3040	service.exe	37
PID 3040 wrote to memory of 2612	3040	service.exe	37
PID 3040 wrote to memory of 2612	3040	service.exe	37
PID 2612 wrote to memory of 2704	2612	service.exe	38
PID 2612 wrote to memory of 2704	2612	service.exe	38
PID 2612 wrote to memory of 2704	2612	service.exe	38
PID 2612 wrote to memory of 2704	2612	service.exe	38
PID 2704 wrote to memory of 2432	2704	cmd.exe	40
PID 2704 wrote to memory of 2432	2704	cmd.exe	40
PID 2704 wrote to memory of 2432	2704	cmd.exe	40
PID 2704 wrote to memory of 2432	2704	cmd.exe	40
PID 2612 wrote to memory of 2572	2612	service.exe	41
PID 2612 wrote to memory of 2572	2612	service.exe	41
PID 2612 wrote to memory of 2572	2612	service.exe	41
PID 2612 wrote to memory of 2572	2612	service.exe	41
PID 2572 wrote to memory of 1080	2572	service.exe	42
PID 2572 wrote to memory of 1080	2572	service.exe	42
PID 2572 wrote to memory of 1080	2572	service.exe	42
PID 2572 wrote to memory of 1080	2572	service.exe	42
PID 1080 wrote to memory of 2784	1080	cmd.exe	44
PID 1080 wrote to memory of 2784	1080	cmd.exe	44
PID 1080 wrote to memory of 2784	1080	cmd.exe	44
PID 1080 wrote to memory of 2784	1080	cmd.exe	44
PID 2572 wrote to memory of 1972	2572	service.exe	46
PID 2572 wrote to memory of 1972	2572	service.exe	46
PID 2572 wrote to memory of 1972	2572	service.exe	46
PID 2572 wrote to memory of 1972	2572	service.exe	46
PID 1972 wrote to memory of 3016	1972	service.exe	47
PID 1972 wrote to memory of 3016	1972	service.exe	47
PID 1972 wrote to memory of 3016	1972	service.exe	47
PID 1972 wrote to memory of 3016	1972	service.exe	47
PID 3016 wrote to memory of 2332	3016	cmd.exe	49
PID 3016 wrote to memory of 2332	3016	cmd.exe	49
PID 3016 wrote to memory of 2332	3016	cmd.exe	49
PID 3016 wrote to memory of 2332	3016	cmd.exe	49
PID 1972 wrote to memory of 2212	1972	service.exe	50
PID 1972 wrote to memory of 2212	1972	service.exe	50
PID 1972 wrote to memory of 2212	1972	service.exe	50
PID 1972 wrote to memory of 2212	1972	service.exe	50
PID 2212 wrote to memory of 3024	2212	service.exe	51
PID 2212 wrote to memory of 3024	2212	service.exe	51
PID 2212 wrote to memory of 3024	2212	service.exe	51
PID 2212 wrote to memory of 3024	2212	service.exe	51

C:\Users\Admin\AppData\Local\Temp\1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe
"C:\Users\Admin\AppData\Local\Temp\1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRDSCSTQYKR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2392
- C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe
  "C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempWALYJ.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ECGBIUVQPRHUCLC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3056
- - C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe
    "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempPYPEN.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIJURPTOWKLDLLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe
      "C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKLUQD.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1080
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOESOMRDQTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2784
    - - C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVJKKT.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FBBWREMGLITQOSN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:2332
      - C:\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMUHNS.bat" "
        7⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEVNJEUOPYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDFTAO.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BWAXLXIHLCMSLBB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASDPOPKJPLBOWF\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\TASDPOPKJPLBOWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TASDPOPKJPLBOWF\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMPQVC.bat" "
        9⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTRBWICWYCT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKHQCI.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NAIRYJFAQJKTWYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CUNSLBLFDFWSTBO\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\CUNSLBLFDFWSTBO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CUNSLBLFDFWSTBO\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempACQML.bat" "
        11⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YUIVGFJWXAKQXXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFVJQL.bat" "
        12⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRWDEBJCGVVIKFD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YFXIUTUPOUQGTBK\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\YFXIUTUPOUQGTBK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YFXIUTUPOUQGTBK\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWFFOK.bat" "
        13⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WXUDDPVLJNIQEGY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLYGPG.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWIGKFNBYCVTBCV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCUYTP.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XKMHFHXLSBNRCOW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFGDLEIX\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFGDLEIX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFGDLEIX\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBIWER.bat" "
        16⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDOMKOCFBQVOEEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAGUCQ.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYMKJNAEAOUMDCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPUGEI.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYQMHXQCRBQRPXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRMUJJ.bat" "
        19⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EFABWRELGLYHTQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
        20⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMJJURPTOWKLELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFGPLY.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VTSWJNJHXVLLNIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICAHRHMEVMALB\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\QTICAHRHMEVMALB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTICAHRHMEVMALB\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEDHYV.bat" "
        22⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BEPRMKNCQXGSWHT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMVEAYOSYEFCLDI\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\DMVEAYOSYEFCLDI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMVEAYOSYEFCLDI\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJHPBI.bat" "
        23⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AONHQXIEPIJSWXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHQCIN.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONHRYIFPJKTWXJK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOMQLS.bat" "
        25⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWFRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXJHLG.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SJTPKTEUETURAMS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempURQUI.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MKOJRFHXGGPLTKI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAQHRNICCRSPYKQ\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\HAQHRNICCRSPYKQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HAQHRNICCRSPYKQ\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYCCBE.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VQOQGUCKBWLXIHL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQHESWIJGPBHMCO\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\HQHESWIJGPBHMCO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HQHESWIJGPBHMCO\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSEKPB.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BKBTKHCSLMVYLMJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe" /f
        30⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXWSST.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJHKNUEPUERCAF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYGDRVHIFOAGLB\service.exe" /f
        31⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\GPYGDRVHIFOAGLB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPYGDRVHIFOAGLB\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEYNJR.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCCOUKIMHPDFXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRRCWV.bat" "
        32⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "COSPDPAXDVUQSEK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe" /f
        33⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMHVUH.bat" "
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSGJFDTSIIKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAHVCQ.bat" "
        34⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNKJNBEAOUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe" /f
        35⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLMWSF.bat" "
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IDYCQGUPNSFSUPI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe" /f
        36⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQRCVV.bat" "
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCOAXCUYUQREJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMQLTI.bat" "
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEYAVPDKFKXGSYP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe" /f
        38⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFYNJS.bat" "
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCCOULIMHPEFXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUARLGBGVW\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\LETDLAUARLGBGVW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LETDLAUARLGBGVW\service.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "
        39⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DXCPFTPMRERTOHL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe" /f
        40⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCFHQM.bat" "
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSXKAOKHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RTJDBIRINFWNBLC\service.exe" /f
        41⤵
        Adds Run key to start application
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\RTJDBIRINFWNBLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RTJDBIRINFWNBLC\service.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTRVQY.bat" "
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FUUHJECEUIPKOLX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe" /f
        42⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        44⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe:*:Enabled:Windows Messanger" /f
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe:*:Enabled:Windows Messanger" /f
        44⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        43⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        44⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        43⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        44⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempACQML.bat

Filesize
163B

MD5
8b9d6ebd0a55bef1e986fe7572fd897a

SHA1
5d9440c2436eaf7fbdfcd47dd78a896e3b3b68c6

SHA256
bbeb4d053901b2420478598bf58b6e55efe0e8eef679f9a6b7b3d5c2fe54bdde

SHA512
46390329cb6ab6f18787e25f37eb35fa24e7cb633821cf2a455763f35a3b8a47dd506b797a2a6cd12662d1cb158ee1512aeaf7f2d31703bf67c2a33268e39a64

Download Submit
C:\Users\Admin\AppData\Local\TempAGUCQ.bat

Filesize
163B

MD5
050579798afbf98ce0cdfcf10e49106f

SHA1
cd49b641a870966344baa58340df16c9e5d5aa17

SHA256
48df32178b0c2afa0018ae749a3cfdd4ae3ca92dd23d3da9e76bdbb2a8862a03

SHA512
83e2bc128b2c55b1b1a5d7f917b8c81e054a34cdd7546e75d8e07cf9a532b65835efd0895d740dec3bac4f0befc45d7b1d4367c15c04e79eec70caf447ebf934

Download Submit
C:\Users\Admin\AppData\Local\TempAHVCQ.bat

Filesize
163B

MD5
4b0d872f3f416957a182ff7e52c309eb

SHA1
0f1b526a0543465b9e3dbeda4d433788776401c9

SHA256
6432bfed5b2ad0c9a8af3893a8ba1adc4366ebfb2bc5c0d373404ddac44baa88

SHA512
4655e8922a7735416c318b9fcbc22580b512c35518ca7ccc8085fba08adb232deb54b6266167f54a7911ae83310c9dc563da8189d836a2ee6d393e074749beb2

Download Submit
C:\Users\Admin\AppData\Local\TempBIWER.bat

Filesize
163B

MD5
775d6a6e2006ee955856119b76d9a171

SHA1
df9f2bf9970b0189f566b9a9901b058313f63117

SHA256
4ac4a33da4886763a490a24a1980a3322cae9932d23e074f735a7fb4f8125063

SHA512
8368ef6cdbd94b28cbbbf0f290e6247fa8e225c96e98ca976aba03ea94270014fa87970d77e51f64f3a790c42092a73d4e3c2d845056f59bca60b328c66f0455

Download Submit
C:\Users\Admin\AppData\Local\TempCFHQM.bat

Filesize
163B

MD5
239eefbaf454ce3171eb75aa104a7a8f

SHA1
50893d5e37d59ad3eefcba0a9e1ba21e577eec57

SHA256
42a5cd25a77b02f06eb1ae7a34748b049a79133c66d759506d97042a453c213a

SHA512
de14c047d07056c963f2ba149e747ccf5e0a2bbd14ed0fc999a9d66c4000f765ccfaa191825d6dfd4aaffe8536612ef7aac7a521a7f0904bf061151983d4711b

Download Submit
C:\Users\Admin\AppData\Local\TempCUYTP.bat

Filesize
163B

MD5
2252066b3bd4982b6eac3a3851fd56e4

SHA1
c0c78ceddbdeaa5aaeb7b8c78215a84b949da104

SHA256
737f1b04626159f79a9fb4dbd85e99c2acbe27253b59450fd2ec01eba21a0ee9

SHA512
25d0c2dfee1e24a7aee8d19b2af4966b9047cb4ec66d1f131fe35005d9d3d90358cce14943745b93d9d45507596747f2a621c669ef90c65e933c7b2261f1999a

Download Submit
C:\Users\Admin\AppData\Local\TempDFTAO.bat

Filesize
163B

MD5
968a53c51974f921417e2a0fbfc8707c

SHA1
1ac2475903c2839414fb3f8b9776c80e8aa64224

SHA256
3216233148035c69473b385b7a97b3eda512e549d6fdf5929c022835289301dd

SHA512
41efa34d3675f6ec0e725fe8c1c5799b9155239d5c220117e919d0267f755300b6aa83b81502f0848ffaad39bdc19ad3aa4994d36049d04d5d77e4956aaa3bbd

Download Submit
C:\Users\Admin\AppData\Local\TempEDHYV.bat

Filesize
163B

MD5
6e41e2c2744a82d14804eedd879aad75

SHA1
76ef457877c17405145047c1529dedd08f45cc64

SHA256
e4746a595fdc615924a1ada3e77f3e8f9678160c8eb9c179c4c176ee364e7caf

SHA512
59b434da532ab2e3e94b44caca3c7c8c6ba110ff50be29107ad217e934bd7eb856d6db8173915a2c8714d6e0c9b58086c9d7e2309bd5d9a9079dddd4871e8feb

Download Submit
C:\Users\Admin\AppData\Local\TempEYNJR.bat

Filesize
163B

MD5
392b0ea376b23d5132653625d537b78b

SHA1
5f095f14c20d11d634170d133bfb9ad715380900

SHA256
b29f6b60e6e6bc1e204bd92a62b2ca1da8aff01928f33170192d708838e7d555

SHA512
320d309745c25686a6e13fc0b263b4fd2cb0a2aab4fd0fdefeefcddb16b0dd9703cbc4797a548a4fabaf8588121d420f75bbf64ad1f1bb3384a4e0f93893ecb7

Download Submit
C:\Users\Admin\AppData\Local\TempFGPLY.bat

Filesize
163B

MD5
4d9cd846e5ae462f57399f84e8e50885

SHA1
a2248c46ef224387d91bd5657b3bf57f5ecc68d4

SHA256
1326f6b17d8bba9c841d6e9a9cacbf6684206d466e390ca9b71f58a486835aa6

SHA512
dcb18b43f1485e0259bbcbd8b74bceaf77b9fe64a6d0f81f0eb8127e472c481bdd644bc1c24f1333ad4f44019b5c9bad19960bfdb7205c281043d04e47ed5c54

Download Submit
C:\Users\Admin\AppData\Local\TempFVJQL.bat

Filesize
163B

MD5
839be4c40aa729bf920bea3375132019

SHA1
f195866d2bb0b3549c0befa2e6393a3f44b02c66

SHA256
16f5f379171f1467ff40f850a152fdd5e7d8b2312dbadb667d5d2002a1705f3d

SHA512
14cf5d9973003474f555de005f536872cd75bc7468b25d84faed3eb6040f4436a9307dfd67e592057dd7459767719f2c3f2eba853ae37d23edc1104fcb6cf60c

Download Submit
C:\Users\Admin\AppData\Local\TempFYNJS.bat

Filesize
163B

MD5
29be58812a799c4a492a02f39ecb4c84

SHA1
0e551d46a4db2e5bcdb6e3779f8f1338f45bb840

SHA256
f1e498c3c7f338b153a9b9d548a56e60cdc749efc4d4d7711851b1ccc00cb054

SHA512
681abd8cc7179e46370c913d43b4440b66766dab1a47cdcd89b2761cb482e7493d994155ba75c351c70a198f7e27a9910bd4a3d7e8bdcf1b21568d5e63f631c7

Download Submit
C:\Users\Admin\AppData\Local\TempHQCIN.bat

Filesize
163B

MD5
4f8e2eb175512bbf2f4fcac496593d63

SHA1
462a3cfe0bba8a1c439dd568b5e8014ad39dd58a

SHA256
af46c409447714c8112f5d2dcbab67e29f528e068fa3c4bbc0a0e9ef79041b75

SHA512
0e5cfad7ac2fbef753f9b88590c4a84dea8cb9277392ec9dab9905055884c07f32ac4e73e57bad871b6139d84f9bdbcdd0a3b2b4e8794efeb700501a087f73bb

Download Submit
C:\Users\Admin\AppData\Local\TempJHPBI.bat

Filesize
163B

MD5
00b7af44531088a30a6650987a99ac2e

SHA1
7a862f2ac92c365d7aa9372c89dcce37bcf35510

SHA256
31cc9867679c60f20a00e3e5d05d20dc63a7b0e915a1889fb153195164c4fe65

SHA512
d50df0c790741e63dfdb7baa4b59a3133c3f8ab8e699fe34e016d871aab54e3c7947a5693aaed48e19ba4d2ab313c17460d9c6eee5a1c003214a2a3946f2b722

Download Submit
C:\Users\Admin\AppData\Local\TempKHQCI.bat

Filesize
163B

MD5
73d37ff4d258d589a7b1a779d892b8c2

SHA1
9fd2b626a9089fb4e75440af96657c53bbfad5a8

SHA256
96913125da57922f4822e21f7a4f0a4582067e0330a32f8436c6d497026214c3

SHA512
94cd247d530e0e1a1add27721d195b5a5a1358fd8ecbea9cf8a93937efde42afeb42bb9d72a66b46bce4c1e8db6bf9855479d513e2bb90f13d7830434b933ab7

Download Submit
C:\Users\Admin\AppData\Local\TempKLUQD.bat

Filesize
163B

MD5
6a401fac14448a283b090176a53a6b0a

SHA1
d154a2cb98ece0bbe8a6f2d73a905132a15235a3

SHA256
25b5dfefe526d611b4e691a065a0a720f6ff92ec69dfb886fa4120c3d224818f

SHA512
4c2308e6af81edcce42193761419bf3017336aa6858191b30bc2342128273deb45486b44874813e5182715b6b7e472874db8a4d3a9343ea3dce1c94c98434887

Download Submit
C:\Users\Admin\AppData\Local\TempLMWSF.bat

Filesize
163B

MD5
e14077320dc6fd79041e1f2f5c53daa0

SHA1
9489ceb4b9d6d491d9c6bf1a310ff5172a21c368

SHA256
32817daded980b0f45aac82c119f2819e6ce8edeff2b9b5a6a3c6733cf81c254

SHA512
18ccf852fb3d3aa17a812a198521cdaa408a2440912773ad88e54fd895e79f1f2187ca75f1e649c01fa03de6194318f8e690ff4fc5003470eede6d907a94402a

Download Submit
C:\Users\Admin\AppData\Local\TempLYGPG.bat

Filesize
163B

MD5
15e05fdc71652f296c61ae42e5c04195

SHA1
c75ae3b50c6d4ed5eca1b8aeb9f2e6a06bd38e01

SHA256
46ccdad777073735a775b31f7aaeb38e669b693ccb760453323685a209ab44a4

SHA512
51614faf4dd3fc53dabe02991a4791bf930c88cf58c5e46d1aac8a31778424813de623f03a1c648d0714efddf47e44609e1a75bfb279a18f9ab7a5567c1d4097

Download Submit
C:\Users\Admin\AppData\Local\TempMHVUH.bat

Filesize
163B

MD5
6b59d999e606a2c32de96a7a4edef223

SHA1
9df5cde8e3a822193a315810c5eefa2e2a20f59a

SHA256
d38661466ddf8f0b8ec894434b33dc88ecc02300f5edc096cd2f810079f509c1

SHA512
8f58ecb7c76a31c405f7e13237a3bf575beb9badbd69ea80d80c1903b286e7dd38e78fb9118afb187125d26fba685dcce4a49636c3230bb904e1f781df609365

Download Submit
C:\Users\Admin\AppData\Local\TempMPQVC.bat

Filesize
163B

MD5
e750830546594ba03c5ea5e32e92aec9

SHA1
2a9175b0087cb38f4aae3e8532798c4361e374cf

SHA256
d55f52f8ba878799b8c0c8838d9ebe80c975b31e80c2fe1e756d7423692ad518

SHA512
f7c50813a8a62cb5505bd0d5cdaa9b35653d262eca414c1c78d49fa873f2adc0a5ccd5321ac5548a03bbd11450eb0bfc04a372098ea44dd5f3623dab8c69d94e

Download Submit
C:\Users\Admin\AppData\Local\TempMQLTI.bat

Filesize
163B

MD5
5d5e18098b3cf11c1c03c39e3a4f55b2

SHA1
e4abcfae36455e36bae3444131488fb3f5b4de18

SHA256
ddca790c8f551f43ee598e3d5b7502657ea2ff8cfc01342e020fedc7ceca6266

SHA512
87fe2947d348c3b2a3f1d635edc9b01604f4bac699823ec4102a7664f9f083dae09a57e26b2a5ae357b80a065941d1bcf4d862e32f83405d11dc159c2cad90e0

Download Submit
C:\Users\Admin\AppData\Local\TempMUHNS.bat

Filesize
163B

MD5
3c9866df0081bf211407a2e5ef5b956b

SHA1
27c071f2ffd32e19eab77cf1f14bd73d7380fce4

SHA256
7e0d3b53ef1eff61a0dda5f24bc00c980c12eed99c2087f11286e06c96cae586

SHA512
ef5aee8c438ded5dd4c03ef16c951f8c86eeb7ad0d19ded0db1247ff26c7f09d610325e4c51a353a1958613054230d08d287081065c71ee616856acbe1f612ec

Download Submit
C:\Users\Admin\AppData\Local\TempMVREB.bat

Filesize
163B

MD5
0e84f3bcd40232c8eb14e54587f94776

SHA1
e7648e0fc12856e52efec01dedf8cb4eba0c9953

SHA256
ea568b80a63a5b79adc0dc2fee080588c2e7f9747730bc2a2f019671618ce98e

SHA512
7da9c91d583165b2af80ca23f0f398d5a56e10c2a4d07729c36c2a68b260c26e65b4722093bd03a59cb643348b63572aa12827b92e832e1abe290e60f67a6f58

Download Submit
C:\Users\Admin\AppData\Local\TempOMQLS.bat

Filesize
163B

MD5
9f996b54a13d663907c4f20701de7171

SHA1
e91a9522d2f4c7e947f72b76af7ccb1732c68f66

SHA256
118ba6c8e8580d7820c7359f787f87a946a3960e87575536c2a7154e77e6a2f1

SHA512
ba495db0b354dc66583103ca85428ab80f5cf5e95d208977c8042d658bc1bd044fc0f679ca50a993ebc438f5806ef9dfc0579a258e8ae9c9d3c493f01f74cbd4

Download Submit
C:\Users\Admin\AppData\Local\TempPUGEI.bat

Filesize
163B

MD5
5d5ceb7316daba9b2fd663bc7eee7e8e

SHA1
71e6ff54f62c8ea6d0175986d439a8755e342858

SHA256
e5cf4d0f638e4a27d0e10bcc2ff21ee331adc6d5424cca15bbec8573fc642256

SHA512
6798493031ffa663aa63447c2f7afdb9cac7c18626b9c5d7919d7aac55325f620857279bc178476b254f6adf429989f69ea71580fbfae2672455646cd7ebe3c4

Download Submit
C:\Users\Admin\AppData\Local\TempPYPEN.bat

Filesize
163B

MD5
7c7560bd26b1d6cd613d649ce60d47d4

SHA1
3936e3681cdc354c5188c7e96645747b32de5ab1

SHA256
1feefb6b27ca887782408ff27f0e94a6a8ccd7308098df805cf46338930adb4d

SHA512
1321e969c71a79e0af584b8fad62e0b7b83113b2f104e16de127350342f3f1e82ff4054d3fd9ecff5af37431cd6f2e3d24fd96d2d904e110bf95ef50971cd598

Download Submit
C:\Users\Admin\AppData\Local\TempQRCVV.bat

Filesize
163B

MD5
a10af8ead2ab9d0bd7d285f9a52f74e8

SHA1
cac553a4aed20dc65cac5fea0469f8e04c154424

SHA256
e751e8d49db817ca6ca6e80323db67217b6d64451ebac4f32b007694e51a88b9

SHA512
76fd0aaa92e85e4a415452cf974b7c21731cf56e53e279ee3c7e313c530e4ca6cbbbf80e1e57f2e894c9676f901a9dd929a7212295531777c50e8a4e2fd01875

Download Submit
C:\Users\Admin\AppData\Local\TempRMUJJ.bat

Filesize
163B

MD5
1bc3fea9f47b62158e96f9c887c4e15a

SHA1
4e79a920c7df0a3bc564f074a3a52a6f736367a9

SHA256
3bea3ce73171f8373ec63b4ad065f6a7d149d3125c116cec1a0096401d95b321

SHA512
e4114ff25e7217bf639128720921b9ece015dd4389eb634315a3217b54f92a04ddaaf7cbc362d9c2a0022489584afbb4d720ced750dc0e831c14957b17521e89

Download Submit
C:\Users\Admin\AppData\Local\TempRRCWV.bat

Filesize
163B

MD5
93e578a07bdd09e4452221cffefabb23

SHA1
177b81da20dc70769605b4f85fc9e0b6db7882a8

SHA256
35777461b4be40f64af0bdcd1b6decce795fe64f08945718cb3a5e2451b5887f

SHA512
1348462225be53daf7132684d93f4f9d6e9444c06c1336d3d90a6d4c98d1edd45d3f1eeb12a2fa501741e5da9920451d01e2f6d550cf775a6176eb6b9f029064

Download Submit
C:\Users\Admin\AppData\Local\TempSEKPB.bat

Filesize
163B

MD5
6ffc282171b45a5589e2b31c851492f6

SHA1
f8b7ffc823dba63899d9e94ef9af968f0efc0596

SHA256
9f92e7db7e435f1e621fc92dff7c9c0db90e2900bd5653a19b6272f2b9edd988

SHA512
a76b42fc5e8519c509de5b594671d35f5baabdaf2449014b8613f033c671a81d3f3a1e8384370408c86a9544f96c321b23983c817aef5cc4862fd3c211788745

Download Submit
C:\Users\Admin\AppData\Local\TempTRVQY.bat

Filesize
163B

MD5
cc2281b5290761dd2186c3350cc6f4a4

SHA1
17624a63b7d755f01bbbfe2898ad67b1d2a1a24f

SHA256
f03902729551f314f17f2ebd714aa5f186553d3c0f666017dbebd151cd4fc2c5

SHA512
444e26b2253d5bfe51b3d12faab6d56ab5fbcad19333b9a5c6e0ab645af918df3f789a32816ee438bebba76357c0df4dfb969d7f9fa9adcac29c49307f1991b2

Download Submit
C:\Users\Admin\AppData\Local\TempUQYPE.bat

Filesize
163B

MD5
001fda6fb81f59f183629491e07d6ea5

SHA1
887172a96b984ce68a23ad449c1bee0ccc89b206

SHA256
17b05c2bfa9a136278b1df9bdf7f8549ccca141d2e1dbf7d385386d3da0f7e49

SHA512
308218b3a94a67cb0c4f3a96e79a9210cb02bbc4458ce6603dacf72d2d21a6580d15496e8b26565f82bcc144cabdad17cf1649eb9e277a7b4b4fff0ff6723fde

Download Submit
C:\Users\Admin\AppData\Local\TempURQUI.bat

Filesize
163B

MD5
03fbd64ebda5abca44504f041796b7ba

SHA1
3fddc6704b7f422e4fa41e3513bec791a291e9ac

SHA256
a56c6bf840e8f44a21797627f6815154a638d5343a2d7b28ad39950486a8eb71

SHA512
42179a54567dc2daad4beb69585cfee87a24fb902c48171870d816546f1d4a0934d043c6705077fcd7358742684777d50c91a92025ac0450db8411a0552ee7b7

Download Submit
C:\Users\Admin\AppData\Local\TempVHFJE.bat

Filesize
163B

MD5
6c0c0682818e396dd2f8d9cc3b15a377

SHA1
a7eef2f27232378b934bab9619f061106b788aa8

SHA256
67b5558d7dcd6bbba6bb4af5c56c29ac8051add17ef2e9f8e2f1881230ff9492

SHA512
3a31d50d9a6c59aa3e3d742a5bbd6d4f7a5eaf40e8d3120ec43d088be209e321f8e9efd3497c408bd1f639dd0dab0bfb1b9525b80d50e09774bda341a3e16bb0

Download Submit
C:\Users\Admin\AppData\Local\TempVJKKT.bat

Filesize
163B

MD5
e1aa77ec10b36c8029fbeef215adb276

SHA1
9cf99ce961e32fddf3ad986134f51f931db15d66

SHA256
30776d62595de30ea3cb0845a2b745687b39d3c0f1acada091953cd906bef92a

SHA512
80762902ee8ebd72cb10f1be4d9597f396369ac5ad20dd4bf96e045be0a386b11dfb452da13e18bc9074d952ce6f7a00c6ee08baf85f0e15f1795e1a73c16d89

Download Submit
C:\Users\Admin\AppData\Local\TempWALYJ.bat

Filesize
163B

MD5
b4537d9f9239a9d8fb8d2064451913c1

SHA1
34090adc73b2d6b3b0cf04d885a064ee6e5377c6

SHA256
f38f04e0cc27cb23d191310c696c4884db22e4ce7ea87203b351dd596dc1aa56

SHA512
03efe5b20261c714833d2521397ba672cfe94ec888ca856b6ef7302115523be05032f37511de4e09e412900935380ddde02251feb71cf660bec32afca2763fa4

Download Submit
C:\Users\Admin\AppData\Local\TempWFFOK.bat

Filesize
163B

MD5
3fb6f383a6569a2644b9b521c3c29c63

SHA1
11473a58356b244d8a54c78626a17d72b634a474

SHA256
d3db2bf635e6d3a7e421257da4ec663bbdee3310bfcbde23237e73d8ad371335

SHA512
195c1c7a17fa85fc9953131516727c008a75f3ba97c625ae1ea7fae417a880159a6baf906f0a9fa2e3e69ef8707fddc54b472788a8e36948cbb94ca54ef1bde1

Download Submit
C:\Users\Admin\AppData\Local\TempXJHLG.bat

Filesize
163B

MD5
89329da6cb84f567f49130dd845e5218

SHA1
d5d6ded7f3a30c951b829fceb0e4daa90abd5249

SHA256
8a2c14a91a49e2ec5f7023a678538ed4f3f7c9dc513f83081666b4b97a375cf8

SHA512
1e726c20c60564aedded61da995a6bf54810c6dbd8e8d764f2b3ab7d5d25f28133b476c7d096e181e77b0eaee434a6ffd260936bac5e3ee517b900dbcf366d06

Download Submit
C:\Users\Admin\AppData\Local\TempXWSST.bat

Filesize
163B

MD5
da8b8cfbccd8ff46867d915fb4f0ce64

SHA1
d677da0fa2389853aee1357f530d4d7f41e14309

SHA256
bf81368bd5776172179ad0e8425a48419aac39b80f6e095487a6457c38701e1c

SHA512
245c0eebbcd86c84a1005d1b7a3cec24483e0800244a2f642ca265d019de8396560950ad464833105126cf94c84a1ac2610da3e026e0464f561eb0a5299800a9

Download Submit
C:\Users\Admin\AppData\Local\TempYCCBE.bat

Filesize
163B

MD5
5b9e8aed6bc22904e419bd124f0e7c12

SHA1
8703765eb48d184edde353b543a63fe1885568a9

SHA256
327de9081612ae74a488a74fbeac755427c8a6d9474580dee58d1e4f8b0bf67b

SHA512
ae07e550c05191b2443b63c7ef8f631d33fc16091a45bfaa0e58e5a272f91efe17047816dc1e1ea7e08ae1366dc6bc34590969c83de4e488e9953654db760f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe

Filesize
520KB

MD5
b1695a7da9077b8b5bc5dfdd65f6fdaa

SHA1
cb0202b1e58923be6fd6f67aed0a9548b9c8074b

SHA256
e67d89bbde4b658d165ef3963b5d1c6150580eb70eccdc3be2e583c885ff4ff3

SHA512
225560a73c88f471d573bb06cae3850437f99c636bfbe9ae3d8bc42b3d2d5e20ed4926f95be4258dd7c07421b22e8afcacedbf909864ca8c4aa2d4d8019bfacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe

Filesize
520KB

MD5
d21ed3965db086029331a70f2d5a1a16

SHA1
964572b67237881d4b8900f38d7a59bfbcc544c7

SHA256
320bd2df686d6f6751e745fa9edb05f1d4c8d5daa9d34c8b0681fba65df0cf54

SHA512
517264b59edbbb5e644f7d531c6b430478de724a6b3e8968c5b712d8bfb2fa8664d7ee31490849b37b0b1cc7342f16f002b639a0461447619bca461a6844acd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe

Filesize
520KB

MD5
c28840a4d01642874ee3a328a40d2cbf

SHA1
a6001b0e5a8361508398f7865587325ff2990052

SHA256
2eef019b7ea286adc67e09585e03b485580b7640c06d9b5c825b53e160df7c8b

SHA512
6be373a63bd1e25400b869da5120eace40559000256e3b2af6069c9cefde85e616f4c848c0eaec4c569ff4940c2180bd7e5688461b726a8cb5ef0ffeb18d0715

Download Submit
\Users\Admin\AppData\Local\Temp\CUNSLBLFDFWSTBO\service.exe

Filesize
520KB

MD5
59d66b27d746b41f852746373e08f996

SHA1
2865ffa12ee50715e97c58e91d8e25f8e60b71dd

SHA256
10290926bda6a9d12ef371c3025d4b620a8f6a9de59210d161a7e31e11316570

SHA512
c90f0ed8b0e747b20d90b40ca9962cde8d3066b551c8cf09b26b398805a496208d86d59d7506a4dee993cf288fac59dc8d1fb380a29eb7c5b980808b51dfc51b

Download Submit
\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe

Filesize
520KB

MD5
ebae6d482773234b35c55e3d643f6bb1

SHA1
f28fb7bafacd1dd9504c5936a4a4a03f2fa7b878

SHA256
31e337d889a0d2a542718356d03bf2593abfeb9c8dd304c4edbb736156212ee4

SHA512
86ca3bb2f2f60e82bc938e820d86693c40854a9d3fbea6f1d10a149e14fa5e24d543d81d4da97d9c2ad6f1a23a1ac8974e20fab54a4441b431308fd8a569aeab

Download Submit
\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe

Filesize
520KB

MD5
a6477b92ba87794dbc67d78f0aaa921b

SHA1
636572695283c0e0dec4e4e51483bc760160dc97

SHA256
ced118aa8647a3a93a83de89f162b54494a14b30bb8a6f8ee04246ca97022510

SHA512
d1fa15f8c63ca50e286840ed94434a0a9fc6fc17433cd7e2a78190784f0041be11e3cbde94be8a73f7952e07ac07a2a0d388d30a8bce4d1b35738eda871c502d

Download Submit
\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe

Filesize
520KB

MD5
3270c200007911bbbb6abed1ebd0b87b

SHA1
60070bb768921d92545b8254e4a6e747235534be

SHA256
59f73812f9a1db1ad435111c39d92ab0291681fb5b477bfdd2ac6d558b4bc4f7

SHA512
710660f313c22db43e814e69b1f0bf506966ab7f1b6746a4c07857f3fe4c388c6bb8fc73a48c62f324d78e83c0ad57a6fce3287cefb147d77acdb6c15d58054e

Download Submit
\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe

Filesize
520KB

MD5
be9e2eba999f39627646d4e525d7d41a

SHA1
671b3b7693b69301ce2894b87baa3b37bf45b6ed

SHA256
808ee9cf84fe7fa1ae607e0ac0cbad4ce030ad3096c0f536329b1b123d348aec

SHA512
1f57ee9d00e30737dad028a0b3720b91ee3fbae85baa56cb3f5cb16a1a2c9e76c44a00d020db9d3ec1aa058c1b39d584cacdcffb3f314efbe6e30cf8c43aa19f

Download Submit
\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe

Filesize
520KB

MD5
aee3554d32d8c1b323844bbe265e132e

SHA1
55dbc231445e730e6bf512c4a4356b586f5d465d

SHA256
b40d625d922ed452d64cfa2399be39b9c944957602fbd172ccd18e4b3986b4aa

SHA512
4a5c4011fc7f6bc7c931d85d3418128db6a68a72b3feafdb6827a2adf9ac6f03ee8ea4be46a8e2af5acf5d1ce67dc9846a919b0c6130bd487fd2192ecebe9edc

Download Submit
\Users\Admin\AppData\Local\Temp\TASDPOPKJPLBOWF\service.exe

Filesize
520KB

MD5
a380fcc27e59c91df48c3bb239140178

SHA1
d52c4802185a2da662a1d9f7c94bfee3c4873193

SHA256
361800a58e273c0be114c24cc6eea0253ca0456366ce6f6e1631330b3f5337b0

SHA512
ee4252055b83aa96920272401270e53ae5d323620d326acf4fa694bda4a0f83224399cc8fe8dd3d25ccb91e4f39e00e2757ec38bc64c60b55659a90b96625bb7

Download Submit
\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe

Filesize
520KB

MD5
e2aff5481f297dc2881b692cb4301993

SHA1
b26d2e8207cb9fd77378971babdf8f3c3f87c5f7

SHA256
feb089bc3739eb678298d222efbcc901feb906def4feddce2b717d0fe4ed5ba9

SHA512
8f86f3b613619708a9962ca7b2ed831ab6bb8992bc5d845d7fd7e4d4cddaade8a6dd6cbc7547f9de65f9762207bd33b8867d3156734c9368035eb1e94b7de69a

Download Submit
\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe

Filesize
520KB

MD5
ebf74b5b0f1a261aed0d71675d586cac

SHA1
e047cd42475c2517bd7aa742204adee4ff462c9a

SHA256
d9475121629bd3ce20aa20e22852844ff0eb4fa4db4ff3944b3d115d87bc36db

SHA512
de2414029a623c005bc0c6e256f2969e7792a2254a7144cf23790e19d41cfebb8800eaa18d6bee88d402918f7d00b3d75515f7aa45d73876d074c459117c8292

Download Submit
\Users\Admin\AppData\Local\Temp\YFXIUTUPOUQGTBK\service.exe

Filesize
520KB

MD5
5ec105f40dfe98839294605e047cf60f

SHA1
82feee039a8b7bba96ee80ebb6eb98c4e8d5adc1

SHA256
e70ce0ade8aabc35516c95418daf8f0e132a5431230c1f0c590d15694624e728

SHA512
2138511ec55ed57de1c1d5c82a67a3734add7de543967fdeb65b0afade449bed11910f0aff37069f56dd9f8dc42404db9140445e5b5bfd66c6f56d1056b58090

Download Submit
memory/1848-1034-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1848-1028-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1848-1033-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1848-1036-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1848-1037-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1848-1038-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1848-1039-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1848-1041-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1848-1042-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1920-942-0x0000000077560000-0x000000007767F000-memory.dmp

Filesize
1.1MB

Download
memory/1920-943-0x0000000077680000-0x000000007777A000-memory.dmp

Filesize
1000KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads