blackshades | 10efba5c119e11dc5b3a18e962748e9bf070cba2a661fa466b1837ba81506b43

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10efba5c119e11dc5b3a18e962748e9bf070cba2a661fa466b1837ba81506b43N.exe
Size

520KB
MD5

92b2485b8020c51b1b7b877e63204dc0
SHA1

35e320399c6aab036d0166ed70681e8c83fc06fc
SHA256

10efba5c119e11dc5b3a18e962748e9bf070cba2a661fa466b1837ba81506b43
SHA512

e6236daccbaf009411681672633525fa54e19918efb5ffd0fc027c8feb650259427bd42e0936c857100caf5ee8b22cc4f4a063781287431c5a067044431b252d
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXe:zW6ncoyqOp6IsTl/mXe

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 5 IoCs

resource	yara_rule
behavioral2/memory/1532-1195-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1532-1196-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1532-1201-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1532-1202-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1532-1204-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKPHYPDOE\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Checks computer location settings 2 TTPs 47 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	10efba5c119e11dc5b3a18e962748e9bf070cba2a661fa466b1837ba81506b43N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 48 IoCs

pid	Process
3264	service.exe
2752	service.exe
4388	service.exe
404	service.exe
2532	service.exe
4768	service.exe
3708	service.exe
3028	service.exe
1084	service.exe
4048	service.exe
4220	service.exe
1392	service.exe
4520	service.exe
4172	service.exe
692	service.exe
5076	service.exe
2984	service.exe
1744	service.exe
860	service.exe
4924	service.exe
2608	service.exe
4084	service.exe
2884	service.exe
2288	service.exe
2136	service.exe
2932	service.exe
2616	service.exe
4892	service.exe
2184	service.exe
2736	service.exe
832	service.exe
1792	service.exe
2260	service.exe
2740	service.exe
1996	service.exe
2584	service.exe
1796	service.exe
1720	service.exe
2360	service.exe
2168	service.exe
4608	service.exe
1096	service.exe
4220	service.exe
4844	service.exe
2352	service.exe
2988	service.exe
3800	service.exe
1532	service.exe

Adds Run key to start application 2 TTPs 47 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FXPLGWPAQAPQNWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENWFBPUFGDMEJYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WRPAUHAUWBRKNPY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRMPTRUFKPCOWNB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXEOXVFCMGHXQTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVACSOPL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUPXLNFMMVRQFOB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENWEBPTYFGDMEJY\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPBJBTKHBRLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LOEWUDXMDIARIGR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BPXPCEYAVPDKFJX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROWJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FHXGGPLTKIURQUI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTXVYJNTAGDSR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UGEIDLWAXTRAATJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HPGYQMHBBQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEDQGUQOTFTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOULTHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDWUDDXMIQHFRON = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUQTWVXJNSAFCRR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HWXUDEPVMKOJRFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NFVEMAABWBSNAHC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDGSTOMPESAIUJV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCTLHCWMNKSFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ECGBJUVRPRHUCLC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFYOPMVHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KUQLUGVAFVVTCNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOJYWMWQORCHMLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAJASKGBRKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DVNTLCMFEGWTTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEDQGUQOTFTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOTLTHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MNJHJMUDOTDQBAY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOXGCQVGHENFKBY\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YCNLJOBFBPUNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IKWWAXSQXTIWENE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGHCBDYTGOINKVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IVRAUYWKOUABHET\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WVJKFDGWJQALQAN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLYUDXNRXDEBKCH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPBKBTLHCSLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWOUMDNGFHXUUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUSXKAOJHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTJDBIRINFWNBLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OYPKJXENWUFBMFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXFO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FLYYKSJTPKTFUET = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEGBGCXRFMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SXEFCLDIWWKLGEH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFVEMAABWBSNAHC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ANJHYWMMOJCFGQM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESXIJHPBHMAD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OTPDPBYDVVRSFKR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMMNIGNJMTC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TYEFDLDIXWKLHFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEFBGBWRFMG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVUYMCPLJYOBOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVLFDKTJPGXODND\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XUTXKBOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSIOFWNBMC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NXOJIWDMVTEAYLE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YFXIUTUQOVQGTBK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LSWIGKFNBYDVTCC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSOJEDTURAA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SRVIMIGWULKNIBE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PQMLYFOYVGCNGHX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KMYYCUTBVLYBGPG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RJSOJSETDTURALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWUKVOMPAFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WTSWJNJHXVMLOJC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICBIRHMEVMALB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IHLCMSLBBDFSAON = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERWOWKVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XTHTEDHYVWJOVWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQKDIPYBBPUMUIS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CNTYKIMHPDEXVEE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LDTCKUQLGAFUVSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JRFQGCYXBOESOMR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMMNIGNJYMT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XKMHFIXLSBNRCOW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAPTYFGDLEJX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NPBHOOXTSHQDYCQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRVHIFOAGLB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FTTHIDBEUHOJOLW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJWSAVYXLPUBCIA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FUUHJECEUIPKOLX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBWXLQVCDAIB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DFAAVQELGKYHTPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVTWHMREBQYQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FESIVRPAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLDJQCCPVNVJTJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QNBNVBTXSOQCIPP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKPHYPDOE\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3800 set thread context of 1532	3800	service.exe	281

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1420	reg.exe
2512	reg.exe
4544	reg.exe
956	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1532	service.exe
Token: SeCreateTokenPrivilege	1532	service.exe
Token: SeAssignPrimaryTokenPrivilege	1532	service.exe
Token: SeLockMemoryPrivilege	1532	service.exe
Token: SeIncreaseQuotaPrivilege	1532	service.exe
Token: SeMachineAccountPrivilege	1532	service.exe
Token: SeTcbPrivilege	1532	service.exe
Token: SeSecurityPrivilege	1532	service.exe
Token: SeTakeOwnershipPrivilege	1532	service.exe
Token: SeLoadDriverPrivilege	1532	service.exe
Token: SeSystemProfilePrivilege	1532	service.exe
Token: SeSystemtimePrivilege	1532	service.exe
Token: SeProfSingleProcessPrivilege	1532	service.exe
Token: SeIncBasePriorityPrivilege	1532	service.exe
Token: SeCreatePagefilePrivilege	1532	service.exe
Token: SeCreatePermanentPrivilege	1532	service.exe
Token: SeBackupPrivilege	1532	service.exe
Token: SeRestorePrivilege	1532	service.exe
Token: SeShutdownPrivilege	1532	service.exe
Token: SeDebugPrivilege	1532	service.exe
Token: SeAuditPrivilege	1532	service.exe
Token: SeSystemEnvironmentPrivilege	1532	service.exe
Token: SeChangeNotifyPrivilege	1532	service.exe
Token: SeRemoteShutdownPrivilege	1532	service.exe
Token: SeUndockPrivilege	1532	service.exe
Token: SeSyncAgentPrivilege	1532	service.exe
Token: SeEnableDelegationPrivilege	1532	service.exe
Token: SeManageVolumePrivilege	1532	service.exe
Token: SeImpersonatePrivilege	1532	service.exe
Token: SeCreateGlobalPrivilege	1532	service.exe
Token: 31	1532	service.exe
Token: 32	1532	service.exe
Token: 33	1532	service.exe
Token: 34	1532	service.exe
Token: 35	1532	service.exe

Suspicious use of SetWindowsHookEx 51 IoCs

pid	Process
3920	10efba5c119e11dc5b3a18e962748e9bf070cba2a661fa466b1837ba81506b43N.exe
3264	service.exe
2752	service.exe
4388	service.exe
404	service.exe
2532	service.exe
4768	service.exe
3708	service.exe
3028	service.exe
1084	service.exe
4048	service.exe
4220	service.exe
1392	service.exe
4520	service.exe
4172	service.exe
692	service.exe
5076	service.exe
2984	service.exe
1744	service.exe
860	service.exe
4924	service.exe
2608	service.exe
4084	service.exe
2884	service.exe
2288	service.exe
2136	service.exe
2932	service.exe
2616	service.exe
4892	service.exe
2184	service.exe
2736	service.exe
832	service.exe
1792	service.exe
2260	service.exe
2740	service.exe
1996	service.exe
2584	service.exe
1796	service.exe
1720	service.exe
2360	service.exe
2168	service.exe
4608	service.exe
1096	service.exe
4220	service.exe
4844	service.exe
2352	service.exe
2988	service.exe
3800	service.exe
1532	service.exe
1532	service.exe
1532	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 3928	3920	10efba5c119e11dc5b3a18e962748e9bf070cba2a661fa466b1837ba81506b43N.exe	86
PID 3920 wrote to memory of 3928	3920	10efba5c119e11dc5b3a18e962748e9bf070cba2a661fa466b1837ba81506b43N.exe	86
PID 3920 wrote to memory of 3928	3920	10efba5c119e11dc5b3a18e962748e9bf070cba2a661fa466b1837ba81506b43N.exe	86
PID 3928 wrote to memory of 4160	3928	cmd.exe	88
PID 3928 wrote to memory of 4160	3928	cmd.exe	88
PID 3928 wrote to memory of 4160	3928	cmd.exe	88
PID 3920 wrote to memory of 3264	3920	10efba5c119e11dc5b3a18e962748e9bf070cba2a661fa466b1837ba81506b43N.exe	92
PID 3920 wrote to memory of 3264	3920	10efba5c119e11dc5b3a18e962748e9bf070cba2a661fa466b1837ba81506b43N.exe	92
PID 3920 wrote to memory of 3264	3920	10efba5c119e11dc5b3a18e962748e9bf070cba2a661fa466b1837ba81506b43N.exe	92
PID 3264 wrote to memory of 1720	3264	service.exe	93
PID 3264 wrote to memory of 1720	3264	service.exe	93
PID 3264 wrote to memory of 1720	3264	service.exe	93
PID 1720 wrote to memory of 2872	1720	cmd.exe	95
PID 1720 wrote to memory of 2872	1720	cmd.exe	95
PID 1720 wrote to memory of 2872	1720	cmd.exe	95
PID 3264 wrote to memory of 2752	3264	service.exe	96
PID 3264 wrote to memory of 2752	3264	service.exe	96
PID 3264 wrote to memory of 2752	3264	service.exe	96
PID 2752 wrote to memory of 4596	2752	service.exe	97
PID 2752 wrote to memory of 4596	2752	service.exe	97
PID 2752 wrote to memory of 4596	2752	service.exe	97
PID 4596 wrote to memory of 3412	4596	cmd.exe	99
PID 4596 wrote to memory of 3412	4596	cmd.exe	99
PID 4596 wrote to memory of 3412	4596	cmd.exe	99
PID 2752 wrote to memory of 4388	2752	service.exe	100
PID 2752 wrote to memory of 4388	2752	service.exe	100
PID 2752 wrote to memory of 4388	2752	service.exe	100
PID 4388 wrote to memory of 1128	4388	service.exe	101
PID 4388 wrote to memory of 1128	4388	service.exe	101
PID 4388 wrote to memory of 1128	4388	service.exe	101
PID 1128 wrote to memory of 4528	1128	cmd.exe	103
PID 1128 wrote to memory of 4528	1128	cmd.exe	103
PID 1128 wrote to memory of 4528	1128	cmd.exe	103
PID 4388 wrote to memory of 404	4388	service.exe	104
PID 4388 wrote to memory of 404	4388	service.exe	104
PID 4388 wrote to memory of 404	4388	service.exe	104
PID 404 wrote to memory of 1648	404	service.exe	105
PID 404 wrote to memory of 1648	404	service.exe	105
PID 404 wrote to memory of 1648	404	service.exe	105
PID 1648 wrote to memory of 1616	1648	cmd.exe	107
PID 1648 wrote to memory of 1616	1648	cmd.exe	107
PID 1648 wrote to memory of 1616	1648	cmd.exe	107
PID 404 wrote to memory of 2532	404	service.exe	108
PID 404 wrote to memory of 2532	404	service.exe	108
PID 404 wrote to memory of 2532	404	service.exe	108
PID 2532 wrote to memory of 3596	2532	service.exe	109
PID 2532 wrote to memory of 3596	2532	service.exe	109
PID 2532 wrote to memory of 3596	2532	service.exe	109
PID 3596 wrote to memory of 3348	3596	cmd.exe	111
PID 3596 wrote to memory of 3348	3596	cmd.exe	111
PID 3596 wrote to memory of 3348	3596	cmd.exe	111
PID 2532 wrote to memory of 4768	2532	service.exe	112
PID 2532 wrote to memory of 4768	2532	service.exe	112
PID 2532 wrote to memory of 4768	2532	service.exe	112
PID 4768 wrote to memory of 1912	4768	service.exe	113
PID 4768 wrote to memory of 1912	4768	service.exe	113
PID 4768 wrote to memory of 1912	4768	service.exe	113
PID 1912 wrote to memory of 2684	1912	cmd.exe	115
PID 1912 wrote to memory of 2684	1912	cmd.exe	115
PID 1912 wrote to memory of 2684	1912	cmd.exe	115
PID 4768 wrote to memory of 3708	4768	service.exe	116
PID 4768 wrote to memory of 3708	4768	service.exe	116
PID 4768 wrote to memory of 3708	4768	service.exe	116
PID 3708 wrote to memory of 3504	3708	service.exe	117

C:\Users\Admin\AppData\Local\Temp\10efba5c119e11dc5b3a18e962748e9bf070cba2a661fa466b1837ba81506b43N.exe
"C:\Users\Admin\AppData\Local\Temp\10efba5c119e11dc5b3a18e962748e9bf070cba2a661fa466b1837ba81506b43N.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOTFDH.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FXPLGWPAQAPQNWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4160
- C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe
  "C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGSYOM.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BPXPCEYAVPDKFJX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:2872
- - C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe
    "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGFJXA.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGSTOMPESAIUJV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3412
  - - C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe
      "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXKRBM.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1128
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXEFCLDIWWKLGEH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4528
    - - C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:404
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWALYJ.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ECGBJUVRPRHUCLC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:1616
      - C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFOKYX.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SRVIMIGWULKNIBE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHVDR.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNLJOBFBPUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTIWENE\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTIWENE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTIWENE\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQUPXL.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHCBDYTGOINKVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYKIMH.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KUQLUGVAFVVTCNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEHISN.bat" "
        11⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YVUYMCPLJYOBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLLFEK.bat" "
        12⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FHXGGPLTKIURQUI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBPXKJ.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XTHTEDHYVWJOVWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQKDIPYBBPUMUIS\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\XQKDIPYBBPUMUIS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQKDIPYBBPUMUIS\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYVBTX.bat" "
        14⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WVJKFDGWJQALQAN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUABHE.bat" "
        15⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WRPAUHAUWBRKNPY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKBOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXNIRI.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNTYKIMHPDEXVEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDQTOH.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JRFQGCYXBOESOMR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJYMT\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJYMT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJYMT\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCUYTQ.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XKMHFIXLSBNRCOW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWENEY.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGEIDLWAXTRAATJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLTKEO.bat" "
        21⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ANJHYWMMOJCFGQM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESXIJHPBHMAD\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\HQIESXIJHPBHMAD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HQIESXIJHPBHMAD\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGHENF.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXEOXVFCMGHXQTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
        23⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBKBTLHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYFVOR.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NXOJIWDMVTEAYLE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCFHQM.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSXKAOJHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe" /f
        26⤵
        Adds Run key to start application
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQUVGH.bat" "
        26⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PQMLYFOYVGCNGHX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KMYYCUTBVLYBGPG\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\KMYYCUTBVLYBGPG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KMYYCUTBVLYBGPG\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
        27⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSOJSETDTURALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe" /f
        28⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "
        28⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAJASKGBRKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DVNTLCMFEGWTTBP\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\DVNTLCMFEGWTTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DVNTLCMFEGWTTBP\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMNWSA.bat" "
        29⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTTNGM.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NPBHOOXTSHQDYCQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTRVQY.bat" "
        31⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FTTHIDBEUHOJOLW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJWSAVYXLPUBCIA\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\AJWSAVYXLPUBCIA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJWSAVYXLPUBCIA\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXWAOR.bat" "
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUPXLNFMMVRQFOB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENWEBPTYFGDMEJY\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\ENWEBPTYFGDMEJY\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENWEBPTYFGDMEJY\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWLHPG.bat" "
        33⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LSWIGKFNBYDVTCC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe" /f
        34⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSDWWL.bat" "
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OTPDPBYDVVRSFKR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTC\service.exe" /f
        35⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTC\service.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTRVQY.bat" "
        35⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FUUHJECEUIPKOLX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMNWSA.bat" "
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
        37⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBTKHBRLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe" /f
        38⤵
        Adds Run key to start application
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "
        38⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DFAAVQELGKYHTPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe" /f
        39⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEWVRS.bat" "
        39⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MNJHJMUDOTDQBAY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe" /f
        40⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWPSUF.bat" "
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OYPKJXENWUFBMFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFO\service.exe" /f
        41⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFO\service.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempURBMS.bat" "
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FLYYKSJTPKTFUET" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGCXRFMH\service.exe" /f
        42⤵
        Adds Run key to start application
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGCXRFMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGCXRFMH\service.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempREIIC.bat" "
        42⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDWUDDXMIQHFRON" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFCRR\service.exe" /f
        43⤵
        Adds Run key to start application
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFCRR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFCRR\service.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFGPLY.bat" "
        43⤵
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTSWJNJHXVMLOJC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe" /f
        44⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPK.bat" "
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDEPVMKOJRFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAHC\service.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAHC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAHC\service.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKNOYU.bat" "
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIVRPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe" /f
        46⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXKSBM.bat" "
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYEFDLDIXWKLHFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe" /f
        47⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIDYRX.bat" "
        47⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IHLCMSLBBDFSAON" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe" /f
        48⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYAUTI.bat" "
        48⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QNBNVBTXSOQCIPP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe" /f
        49⤵
        Adds Run key to start application
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        50⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        51⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe:*:Enabled:Windows Messanger" /f
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe:*:Enabled:Windows Messanger" /f
        51⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        50⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        51⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        50⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        51⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAHVDR.txt

Filesize
163B

MD5
7075fa8adb0a3d258cda2952a34e7340

SHA1
5801a6b2e8a8e1844ec57a65f78ba4e77bdefd1a

SHA256
88f92a3a89e0063f184b177b605ce5affc597fa8802e49b4b8c4b56ef8e977b9

SHA512
5cc82cee1092136bc4555b3d444571c590a0cd0ec77f213c717ef826a1e68c55dd80f87951223ac3dd0b7abcb7cd9194dbd2023fab0f4339ffe6419831460277

Download Submit
C:\Users\Admin\AppData\Local\TempBPXKJ.txt

Filesize
163B

MD5
2a7a9125324a6075410a954b0125be81

SHA1
1ec5de9f1f4e8ee85869c0a7f1c57e347283810f

SHA256
7e47454bb37b64016e6e7ecb8372abe7701692f6ed77030bca723964d0a9f6dc

SHA512
23b407b2b2dbcc631d6351b9319834b4073ef226631a0ce35bd7ef337b463d0296c7ba67736eaf2dbce0e3e923ed9894f3bb82cc1f617655c28c90ad04504a8d

Download Submit
C:\Users\Admin\AppData\Local\TempCFHQM.txt

Filesize
163B

MD5
fb1de3a686fc82769c21e956f8bfe308

SHA1
dd9540427d08c3d0f3320ae1d5c27b4e5da57797

SHA256
b40600d10f1253acdc01df0a6905790b804b30e3d5fa0de4c74ed3feebf5056b

SHA512
093f6930977bfad5bf575d1b11965532099c51a05070c221f6f77714de110998c6e0fd2d141980cf99ab9f1b4fd7083be9053c2410ab9578325866952a2d3633

Download Submit
C:\Users\Admin\AppData\Local\TempCUYTQ.txt

Filesize
163B

MD5
b643d0a270af101a499759dcdbd0c158

SHA1
322b05844e3c68bf26a948bef889376bf098599a

SHA256
c223e954ca44188c8423f4b8043401d93fe8d5c4020d194ee8b4c89bed33c671

SHA512
73486fb470f3e99b5a402eb148b9adcc44899218f545ef4e5d03f8f191739e68affcf33c8f311384f31859416764baea4c6712d7814d78dabc7c6380abfe98be

Download Submit
C:\Users\Admin\AppData\Local\TempDGHQM.txt

Filesize
163B

MD5
805a0854b6bdae48c71ee7464113dc78

SHA1
e875d5d0a2665556c4528d2194e4e721069cd0b6

SHA256
352b1d6863171eea99aabdc71997a75c797d2c196682d593e1607aeb9a3ba959

SHA512
a18211060ec6b9aed9e9595cf1eaf730b6d840680b29fd2059bd731660e4d59f3af274c4d1420b975f4cd44fb750089fda5eb7b44c75e73c36fbe1764b2a2d2e

Download Submit
C:\Users\Admin\AppData\Local\TempDQTOH.txt

Filesize
163B

MD5
490f2a2e6c8f18a274d85723a91e2d71

SHA1
72834f243cf97c326ffb8a4074828b3a68d427d9

SHA256
c1829929dcead04f2682cf8b79be0405439e459e3db1e40260ce2066778f7306

SHA512
3513ada7d0c986d1bd29ed05f6325b9055889366a1bb121e195ab38cd7d32fa1b12b1baabbab4b65c386dddb8d42a137ad95434879a7cac6da1a096d3d074656

Download Submit
C:\Users\Admin\AppData\Local\TempEHISN.txt

Filesize
163B

MD5
cdfc4e1c5da648eae37f54f8932aaa08

SHA1
d66b7dbfef353da069cab6fda30f02ca28f8f058

SHA256
12490cc774522c4bea31c8adabfe95303324958033d64066f9b58013c4fdc514

SHA512
6c51f6a5dd088c720209f255b9a5497a4e94b6776b04842f12894eed9bf07bc2db9384ac035ce297060eb006035ea980c9a64376c785c204409fce37494a9f6e

Download Submit
C:\Users\Admin\AppData\Local\TempEWVRS.txt

Filesize
163B

MD5
2b6bb6b79f1760c96d8dae8345350053

SHA1
8807b01e4ea23dd9bde22595b40ba99c021372cc

SHA256
b13d848a0987be1a1d10b47c99ddb0585d6eed3846485c82b740fee5a39b045d

SHA512
eac54b58f8d90bcaf13aff8bf3f86b239a895fab713705ccfc8212114c4b14e8cc69627eaf85a19324316bfa09c4d8f4c95753b8239080364679e8b2e65c7dd3

Download Submit
C:\Users\Admin\AppData\Local\TempFGPLY.txt

Filesize
163B

MD5
673f3201100fe8a257c12e36f4049a29

SHA1
f97afb1d3b91a839c87d2001b497351d2bf2f5ef

SHA256
4b736c214c6432ed6ec4c1b7c8ec97658fbd66a276b4b469e89b92fbf3721e26

SHA512
8ed78e8fc185d91af59d99ce418bbaf3e9079dcdccd1c38c0fe9574a4abfa6d0bb310084d07e2438261f6ba4d60d80b8286d94d763b3fe4c7ed902d9abd259b3

Download Submit
C:\Users\Admin\AppData\Local\TempFOKYX.txt

Filesize
163B

MD5
ebf5acfc238fdcd197335e605aa8799c

SHA1
dd4627abb57424077d0e11865cf6cabb3f003194

SHA256
4ec7fa9ed7c60b9ea4dbba16bf29b56d1fc6c42bd371f398c33f8540e5eb5cc2

SHA512
1824676088292d007759ffde2cfe2a034c48ea8a3c96a903588343b69d4ebd912ecc8e264bf3801777a128ce1bb917681cf626e6134307d6829db10471b31f70

Download Submit
C:\Users\Admin\AppData\Local\TempGFJXA.txt

Filesize
163B

MD5
fc24b4c72219bcc6dc5cd5718764640b

SHA1
aea0bd2b4f76a8341d81b4793c424cf5ac4f47b8

SHA256
7ef6dbaa1d297060325e798319d961213f00693ff22d9816c06c26287796b815

SHA512
f42055bc82200eae91573ecaf1432e786c3eb83b75f5ef85aa8f2cd2808d61faa0d300244bbafde0d2c9bd9c8d14947b61615e39ca4ab3aca6c3da28ed33fb91

Download Submit
C:\Users\Admin\AppData\Local\TempGHENF.txt

Filesize
163B

MD5
d26906ce57d0742ee8a4a65816ed98d2

SHA1
c5a3858701cfa7f12d7c5ffa00d5b04d20d21e5d

SHA256
db6f5861099f035443d06c0785b21384e0c2e5e7a4b623e6ce06705ed58b28be

SHA512
31e0f9c040fdb07c7c820cc6dae50a9abda62825ad65dbdaaa3f3c102a4b1bfc29e5caccb7a6c480d39011cc22cfe44e95db30fee858ee8c9cac9576d751f4d1

Download Submit
C:\Users\Admin\AppData\Local\TempGSYOM.txt

Filesize
163B

MD5
6c1132e5d6c676eadebfd154626cf797

SHA1
d5024dd27514111d53da0ee571c07e730077a779

SHA256
bb9f2494718fa6ca0ec33de15b54b8992b0be3876b16f5e7c7a88364a53a3ff6

SHA512
f6e1a20849c57473f11d088b8293ca096f4bd1f98144cedf28f9e27c3b458503049f4900207567a414a42ec213a8e3f05f7d7748048c5cb5d353f954b9af773c

Download Submit
C:\Users\Admin\AppData\Local\TempIDYRX.txt

Filesize
163B

MD5
3253980e14f76391937d00c4fb0bcb4a

SHA1
b379a40410b2719863aee03ba3b99362caf10d41

SHA256
87c7e7d5e293e10a5570b620f738ea5ea738a85bf6bc506a7f138af2f4eb0e68

SHA512
de02969da983a83f75d084ebca6a73ee40ca7527435ce61a741fdf938ddb8d53ddf4d9afe8814cde7a317df630872383dcc20c64d70517b85ad2203b0911efbb

Download Submit
C:\Users\Admin\AppData\Local\TempKNOYU.txt

Filesize
163B

MD5
5c018d68971dcfb6f1f23a779b99ccc9

SHA1
fa1903fa8b4bd7209b67dd6d6ff9493303f2e74f

SHA256
99d85218684184e6d7486cd925c82e220d0ab5410f560369a6772708ae42722f

SHA512
38dca911c7f595d6c16b6ab643bda223513cbe31626ef760abfdb4efce433fb55f338e267a8342573ed1efba0d5904f86bb02be6cbc9a44a53c7a21c46cc920a

Download Submit
C:\Users\Admin\AppData\Local\TempLIRDJ.txt

Filesize
163B

MD5
8b97263970632a3c1ff9bf70412b7f84

SHA1
0371cbfe0ac9c589053d47cb4ab9bbc1767d9ae0

SHA256
a7b2f76c913d03ab65c01792c0d01fb2cf7fcbd391f4de64ee1fc83f44e7907d

SHA512
d619dd5b74b8c3746cb8ceb968f2fe6caf24c2ea537cfb4ac15b30f4ea066581291e8b92e1634c844e524f9ded809dc4132b3d86674add60dfdfe7e9142dba3a

Download Submit
C:\Users\Admin\AppData\Local\TempLLFEK.txt

Filesize
163B

MD5
11e3bf42e82c3d9a9a0c90072e77a06c

SHA1
50ceb47f27a046732ee4b596e30eb8b721b27ac9

SHA256
0f2f60f6e10db48d41299f5e2a7f59b7dbdc9bf407d162b5ede61faa5f615550

SHA512
f83f2aa320491009a505f2759cf32fd596307c966b24edda6ee5b257b80552c5ce2ed6c47b737aa9a8a1e47b4b4f62cc56f61b435d25d2bc2476b6fad716bac9

Download Submit
C:\Users\Admin\AppData\Local\TempLTKEO.txt

Filesize
163B

MD5
e2d521faccf12edc736326a60d48c901

SHA1
b730850f45026b3898a46eb6275961b062255034

SHA256
cb9ab9c65bdbac0895bdc141dc071321a3f8dc2829d159bff4bd798b5b6493f4

SHA512
1b527e1809ef7afac9adb60f2c399fabd03f47ce71fe0bb4fe2d46cc4c97ed7fb8bbddf47df26ed1ce3298f6576eb8ab13a61853ea7f788fc5653784054d30ae

Download Submit
C:\Users\Admin\AppData\Local\TempMJSEK.txt

Filesize
163B

MD5
e77159f9400b36307346f4e838d3548f

SHA1
ea8e54a5773dcd1120a94024f3937219e6d18615

SHA256
6d6b2cfe9cf7c84965ecc5807b8d8f8713ba7a47112b81da77e12d8373a78ea6

SHA512
c95bf5507d262f35b7f14f669a764db383d2e7a453f24a077ffb10449f8e7d399655b025f63e7db4afec1d2a3cdb747848dfdaf6bd8cd490847704724198b51e

Download Submit
C:\Users\Admin\AppData\Local\TempMJSEK.txt

Filesize
163B

MD5
cf937b7d55932faad09ba835458e6a83

SHA1
1e3445e2c1ca834a6b29cbf5b5730873a42f8cd8

SHA256
8a75c414f3c319a6212bca79c0c2628c4bcbd12114d0f248290a5733d08ab9a1

SHA512
60111eeb8e2c72c0ee781a23f819c5889a07a553e7d945a67b1e4b1f85d1fd862c19e0ae101e3b90c615817bf48a8c9a40830d36e81877ae0f5c5ab2f7957693

Download Submit
C:\Users\Admin\AppData\Local\TempMNWSA.txt

Filesize
163B

MD5
911de8fdbf3d30e68a4e05a308822af0

SHA1
d03c42af04964467fbf9b0e979e0342c902f9b4e

SHA256
8ee66dc7c6d45b514a971dd255d350c426d7a190712deeb33c9b4620a87915ee

SHA512
806f41991043b5e0dcae977e1872c5588770aa85edb86f98d2788283def60aec7ab3624cbd8955347ed585a0ad0863f303081a929ea2f3f95c28e86e8c758b80

Download Submit
C:\Users\Admin\AppData\Local\TempMNWSA.txt

Filesize
163B

MD5
08a46825f8687526303d13241600973a

SHA1
43085350ae1fcefab6da5f21cfa61871e88094cd

SHA256
53d3ce1ce804418b19fd7ed0d1e65aa46092117a49cc26a2a32750ede80c6b97

SHA512
684220fc914968d010ff118585b463bafa1c5909334dae5138caae443082278909324530016c7dc5a95f4d102573082db7a33abb5b3f753ed110a50945ab942f

Download Submit
C:\Users\Admin\AppData\Local\TempOTFDH.txt

Filesize
163B

MD5
eb64fcb2e864d323d82ec24a60fcbdfd

SHA1
46d996a92e6bee848761c88dd7c2db22c11111dc

SHA256
2cba59912dd6bdd1567c1943c95b2bef8cc37bf44880168f0bb1f69ac4793d29

SHA512
e70cb249d37d5ffb8596b7811462fdfa4a0ddb46f61eeeb2fd582eb7e70a3e819823c99749a23a3a61e55d62bbd119057bd8403b56118a7aa51c2bc02643d45e

Download Submit
C:\Users\Admin\AppData\Local\TempQUPXL.txt

Filesize
163B

MD5
e51988ed7528367792e2a7e6b00bf24f

SHA1
e459aa5892924463a17cdcedf2ed2b699af6ed54

SHA256
021f4b069bdd9363e0c75deed818d8b318de2042b5db7dd1fd6071cd1f4e26c6

SHA512
0f2cc50450ece5584f5c0fc15bc1832545e4d9633827bb0505dcdff70209ae00f1746ffaa1994f58fa8720a623ac50f2354ccebc2b9f2ee13ca50c8ce54b3118

Download Submit
C:\Users\Admin\AppData\Local\TempQUVGH.txt

Filesize
163B

MD5
6aa53a4c806d7287188d0d43486d6ba9

SHA1
008fd8ded6c544b03c2aed890a03452105a753a2

SHA256
84c881a391a581eeaebf61248813a5d19941a2295f1790074ab245daa527e0c0

SHA512
64341b89165ce216c2d65d5f1aa96d19dd194079f6353f56d19c308b20724384e8a110cd10b99fdb0bc5de1929a843dd1a53f71eddc691384ac45e1cd1a3bc14

Download Submit
C:\Users\Admin\AppData\Local\TempREIIC.txt

Filesize
163B

MD5
685c9d695daca3eb3218047062e5079a

SHA1
892517ba5c4b6302cc4dddd844f8aafbb80ddb05

SHA256
704514b1627f255b46e0be50acedf38915e17960b4dac9ac504bd835ad4f330b

SHA512
02a16853a014b862f875944abdff8713526541135982b9423657020dca5dd539689d4fb0728b18fda174ed9749b9ac017e4862a93aa0cf674661eda2227c7cc4

Download Submit
C:\Users\Admin\AppData\Local\TempRMUIJ.txt

Filesize
163B

MD5
759a614ace0e3352f7d48e1e47c9c016

SHA1
3f96be3a19dde37ff44f0630880feeca3c6a2fd3

SHA256
7af5d185d2338b34d83e10d849f5424ff517bbd2a1947f15952e8b346020be89

SHA512
6a145c0ba87f9a98d69c68bb1f6f16eb85e1f10019e75241fe3ca77010cae4ec4fadc6625b11a8725a0f7c48a0df57062adf01f74ea5156bbf5fb76e83e8c4d4

Download Submit
C:\Users\Admin\AppData\Local\TempSDWWL.txt

Filesize
163B

MD5
6a684d28bbeed531c71349094283180d

SHA1
644edab1c1b815a6c99a508df0582d8641a4f44b

SHA256
a450ed5a3ce8179c7ecf166fb091982c765068226ebb0110ecc07987f79db196

SHA512
8da078e59e70a47dc1ae645d9bccf0e716242a9b1286a2f856da077c4f5845fb37ecbe98c0704b73375df47951668a66c37d037dffdc4cf791dbae89ccac2672

Download Submit
C:\Users\Admin\AppData\Local\TempTRVQY.txt

Filesize
163B

MD5
fa29948469496c732fa1a20aae919ab0

SHA1
51aaa2378aae105b5b7c54174f60ea9744bf0a47

SHA256
215566868d43423f77449874e403fd34e93e3e8fced5794e63a8f33aa23f80b8

SHA512
0b2e97e3b23e1d283b5fe5c876409dcb619df44b4f5da5871e78c8fd9e3d89a8335b52e566d258f98e83a15a3c83f0be4f541db24eff25a3e78e797905a6671d

Download Submit
C:\Users\Admin\AppData\Local\TempTRVQY.txt

Filesize
163B

MD5
cc2281b5290761dd2186c3350cc6f4a4

SHA1
17624a63b7d755f01bbbfe2898ad67b1d2a1a24f

SHA256
f03902729551f314f17f2ebd714aa5f186553d3c0f666017dbebd151cd4fc2c5

SHA512
444e26b2253d5bfe51b3d12faab6d56ab5fbcad19333b9a5c6e0ab645af918df3f789a32816ee438bebba76357c0df4dfb969d7f9fa9adcac29c49307f1991b2

Download Submit
C:\Users\Admin\AppData\Local\TempTTNGM.txt

Filesize
163B

MD5
e2531e27e70ad32b3ed22ffdf9620e7b

SHA1
7964c72bfbe26797603445801dfbe69878b75b12

SHA256
5f9c1841ee2b64c84d138d08c4977e18f3605a3b176056472e52a279758b44d2

SHA512
5526bfc7681550b07f2e442bb6ce615cf7bbdb7b2493f6917401eab8d6d91c8c9a064bd6fb37b5ed16eec0685344e17425f9180875465791a482f5676b3130e4

Download Submit
C:\Users\Admin\AppData\Local\TempUABHE.txt

Filesize
163B

MD5
a585c5d764ecefa18ff170d34660a3b9

SHA1
1092e44e142d514c683f64b9229186ed2b55cc39

SHA256
9aca46a702a34c94495c532212a6709f7e5e551e1ec5c89f412894ba1555753a

SHA512
5abb260dbe685da7f9afad091ead249070ef30c20acf8d3d80d6b02f047bc38f90dc2b802b3cf27630ec4e4ff7ef4db1080708a4248bc8f52a547cdb5e79eb19

Download Submit
C:\Users\Admin\AppData\Local\TempURBMS.txt

Filesize
163B

MD5
9e3556c427ba4848e9554a03eff99e24

SHA1
e4f99678d78d68e48f8fbd676b31b642552165e6

SHA256
510e11bab43365b072358de461ac433d6cde158e4555eda27a24dfad7aa80058

SHA512
f4cbd50eae4ec47cace9deaca10239072bad69fdebf436d625324e99bb7669ec0b763f94a8cee8f77a017ca7ba33a495e001a032ca897c7f98bd3814a83470ff

Download Submit
C:\Users\Admin\AppData\Local\TempWALYJ.txt

Filesize
163B

MD5
18e2e2f80cac258489dd7626f12686b6

SHA1
480a5ed45b2af0d1365d06eb3e864bfb249bef9c

SHA256
9b257eec1cbe9830927dfd752826fd8446c13246c6f45918d7658d184640715d

SHA512
b1b4a5d032f0cb5cfeda650567131dcadec84e0d5521ea585a4d9c64362b791d99d7fe5605eed306b6ec6609ee0a9c787e0ffecffffcd18f080a4313ecce6944

Download Submit
C:\Users\Admin\AppData\Local\TempWENEY.txt

Filesize
163B

MD5
96d0789c29df9db5bb03aa448d5560b0

SHA1
5912d51ab01f269a16f9061d07a88bb1c91615bb

SHA256
43bf63877a4452f2ea28a618a6588ca210754bed763ea7cdb5efce2f27be204c

SHA512
7af02d0307fd79402ebfed87207afed59b5eb9f2b029a58fd377767539551078ccdbc5cc78583a69a6812e58816a1c6dca133750d0f7b92836e022b328187700

Download Submit
C:\Users\Admin\AppData\Local\TempWIGKF.txt

Filesize
163B

MD5
b96c1ebb8b5ae79aaf417f1571d5ca9d

SHA1
4c6aaa43c13cdaedfa9081a4b25ce410d9f7c22f

SHA256
5d01af8e8cfdfc694da1b87e6cf5e43d43c0ebd49c7683ad8bd1f7e6a3bdb85d

SHA512
63a1dc44375831ad55eb83976cdcfcbed3c69f6d6eae78802ec684e4c77dbb29d477e29cfff6d57c1916b43687d7180e4c4620abe20b5bcb611eef764fe3b60f

Download Submit
C:\Users\Admin\AppData\Local\TempWLHPG.txt

Filesize
163B

MD5
47376af364c01fa68ffc4ff4dfe5aa24

SHA1
89b3da7d77dd38aee3cbd92ec96e2423488b8723

SHA256
7eeda6e5b13e712f35601853ad61c2d053bb2a1f11fa38d1da4c163fd3d60451

SHA512
9eafd3d81ba539f80dc3b05c995ca31563ea5ccc2cd531f29e796ff6eb59004464db0fe56f39e656788c2f5636c005560ef921740cbbea1cbb70c18bebbbfbd9

Download Submit
C:\Users\Admin\AppData\Local\TempWPSUF.txt

Filesize
163B

MD5
4dfc049c9a424c9b44399024c191f055

SHA1
2f5dc9d6863b6261b7878acd957273c5bad9498b

SHA256
0cfad156e1a07797dcf6a5eb2812cf599aeddafed90599cc586549c886320721

SHA512
433d5d4c53bc7b7cc841a81d76faaed2e2e59b74c6dea423293758f9a8cc9bf0b052ec1dd8ad552b6ed1b48a83028529bcebcfd571aecb035dec45836468962e

Download Submit
C:\Users\Admin\AppData\Local\TempXGGPK.txt

Filesize
163B

MD5
ea52b23fac094cac240e14a3a7f71c80

SHA1
da554180086078f0c2c875c96bc7b6d8a0fa9388

SHA256
2b983376d9b33438d9ae495766b75607031353063256e11e88a67c728f0d74e4

SHA512
8dae6e6b9700bf2430cbb2370df7a2c5629d511d40c99605aaecde5d0609e7c61bb559abb211cb6e507ab7533805e005669e7f765c32f48fb2afb9afcecbde3d

Download Submit
C:\Users\Admin\AppData\Local\TempXKRBM.txt

Filesize
163B

MD5
dcd57969e5c9699419e228df8aebbebb

SHA1
f679f06b41754fe33652ba532ae083c2e13aa592

SHA256
2be8b50d6cfe032244594025a2e60079534db6cef4359d748269eb61d3e13ebb

SHA512
a9cd5d5cf02f9c38444b8af5345b625e01bd576de2686f44d1d17633efd13c38f408bdf694bbae2c46faa34031be193357443d55f73c64ca243bbe3e76646128

Download Submit
C:\Users\Admin\AppData\Local\TempXKSBM.txt

Filesize
163B

MD5
d9c96229ad74e5ec8fd6e260a7587597

SHA1
9fc900d1ba5e3dbea90444bc2aad9b6a274dd052

SHA256
e8d98c3a9668d6051392507d52be3861378ba5edb3d0475be060c6b79ba7c282

SHA512
f346386891cba1bc6d9314cf47fb1fce8f2c88c7f2d420bcaffc51cad625c2a0b232eb20361d3c0411540c0423d91d8e6bb356b9a1d8072909c824842573ca68

Download Submit
C:\Users\Admin\AppData\Local\TempXNIRI.txt

Filesize
163B

MD5
6e3314e38b5ba5c729eea4ece6c98bab

SHA1
67bb6ddfef85b265fbd9b240052ad06f873a51b4

SHA256
59476c37d333018c7d32dac62ad1be04e6fca57849245f4fb4c8b73f70c53e8f

SHA512
31fca75b88e5ec01ab5dc6781b3e6c3ce4ba2b145b0ebfb97d6c0ae154d79cfcdbeeb4a8143f2732b6244d7d06f3f03b7583ef41381970083d149122a2efb778

Download Submit
C:\Users\Admin\AppData\Local\TempXWAOR.txt

Filesize
163B

MD5
f0b2ab5705a21f664ecee97f5acfa866

SHA1
c5df314f610a51f7e2aaa3d47b8716e4cacffd6d

SHA256
52ebb641553a1571990946c5728fbc5f33305554547865325c772a1ad91bc390

SHA512
3d872a33eeec30402e205bffb68c5eab91404f79313f426edeb21edd4923e3b63d44df56f9a0c42eddaa7c841929d8185cf3a1fefcb312b6299606a012bb8145

Download Submit
C:\Users\Admin\AppData\Local\TempYAUTI.txt

Filesize
163B

MD5
137885aa35ab908ae45143eb39499593

SHA1
3b7fc47377eccc7f9d6d9b9553cf5c13561e6251

SHA256
7eca61acb199111f5516ebfc4364ca7d5191c19e731a9e4f9e31f4aa6e7551fd

SHA512
0fedda0531d9e2f8a3c6e69cde714323f0f5202e3fcc297f2a12141c8a46a8049c52b060e68e4cf0fc8c4bfbc2e7f3375ba27b71a60c89da53bbe4e70542eab3

Download Submit
C:\Users\Admin\AppData\Local\TempYFVOR.txt

Filesize
163B

MD5
abfef3a647b2e08b7122d79f7a5d1000

SHA1
c3f3a376fa3f29d32149073c5c3fdaff95b6e5cd

SHA256
71afb621d8940c3d4be266fba829acffd82034ea905b751bd0911af79c89a9df

SHA512
13cdc5eae0461be563a07e8cb2b45f111d986938fdd1561aba5a3460299045bec1a69eb5d362620ef3f1e0911dc0baf2cc0f225fdcc96c403376ce375f8c7fb8

Download Submit
C:\Users\Admin\AppData\Local\TempYKIMH.txt

Filesize
163B

MD5
784335baa97923448c31a8629b5580b3

SHA1
59390a69107ac567dfdfd1de174998a98c6b80f8

SHA256
698664c420f3c71c57c938fcc3a29c17ebe4b7b87abbfd28bad7a2f775faa681

SHA512
d45211d3cfb6ed4c7e771ef93c2c963b5b080348eee28c67577a949801b427e70f94b43db7f233dd83c9c8d3c7a03237ecf5acf8f1b178785ee0b5dbf52704c6

Download Submit
C:\Users\Admin\AppData\Local\TempYVBTX.txt

Filesize
163B

MD5
4153f474f6b22d60e6da03ff6c78aaa6

SHA1
e6ea81b972e50de0cd265c2cb42b69f805b3dd75

SHA256
753e0c8e22122c256e7389e2eceb8231d095be1a130fcae31526d720a6968184

SHA512
1bb1ace0f66df674323920d21d28408c23d5252e556c9f419a76c109fd94552c65c92614a0a68f95d3380f0ad1cd3985c1cbb50cd03ea3eb1321f4a9b7c88bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe

Filesize
520KB

MD5
df0e7a99fa3a994b2d5d029dab447581

SHA1
89ac9a8e284bf09c32add0534cc41b9b73ccd0cc

SHA256
f26162ed19c9442253d9c0b8dcc1c293a5b0fea45c4a8e92846cbc560c2a6b7d

SHA512
b27513d88bf4d493acca8af8b14ad26eb39f265a9fe50a09277b4c23f32094cec63578939cbcfd6fd5c00b9e5897e92a2885ffa0cc95038c4314c0174b51f6d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe

Filesize
520KB

MD5
d89221c94955e14ff047a9340a843f30

SHA1
6d899849514bbeb9f70e40597b034d845793d8d2

SHA256
fb2f8bba8e3a21e9d9f8c0b084a5320823d844d99127ccb52f944bfa314727f3

SHA512
5824f3ca067191c03a4aaa2c91af0d9c2efd1cfb158a5fee6295479fb5702eb365ac869ff8658fdbe26ea003228c9930ea951ed328bcb9862ade9d69c5c9132a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe

Filesize
520KB

MD5
029bf8a9584faaf2acaa4e8c7036a7d8

SHA1
b09a06aa58cdcc32828bcc0e4f2550d5d04d8bdc

SHA256
d43f2f40237bbf5ef031d8eb8c211c5583fe8ab6089b0ac83fd9f8269d1e9131

SHA512
b308410a9d22817c3894f09c49bf7063e4f2fc944353b603bc28c351f535c80caec0d36b14dba15a802926ff53dddd0a9813fd6d9523feee9ee14c9da1a77080

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe

Filesize
520KB

MD5
e7169b46fcf3e81de8b2962ec88622d8

SHA1
2ec81da5add57f1a43cf6cac1c972e135e1feced

SHA256
b7de98abf5bca5a8207de529066738d5741a370a76b88fb2fa1d899d9f10e13d

SHA512
7323c6ca6658d720e06504e73f6087e51e97a1a4fe53c2967d999ef59e9fd906bc0d9b5eb0f6c916070c2c407add10fb532b3327ea568930cb224e089a13d852

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe

Filesize
520KB

MD5
5581f3e4825def83bcb4d3f74b43f2e3

SHA1
0b45db75b6d6be8e108e6f59498acb65dcaf9549

SHA256
7dc88e27d64b5d5ec57256a5d34a17f736a4600c90a1440cda0eb8810ead897b

SHA512
89a70595e0ce99e8d7a8431777f1c3387d98d12ea7a9fca2d8048a7315c52603b3bc9eb38692974e2f84ceddef2fda79b7b14a0415d541f6d5c56e999d4de25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe

Filesize
520KB

MD5
39b4ba27e8ffc473230ef5859fdf943d

SHA1
cac8b2d76d4c4e4f31f286e124265da53dcf699f

SHA256
b5b560185f439acfc40f7bc389d8333c0302767a5f74cfa0476dc390b6092935

SHA512
5ed8a83654abd7ca46215d85b9586b0350d5d4bb30bcd2cea70ffbc4cca3b0bdba4747bfa584768fea5ae5fd8e15c9c7766293dd68d5bfa5732f02fa505cf52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.txt

Filesize
520KB

MD5
3199577efb3036e9c2f8b9f620a008b1

SHA1
ef4ccf129376d2f37ac200e3074bbcd1b77f97df

SHA256
a057e0d378ecebe13f27b05886fc128e042e596a80d31ae9719001926b8aff97

SHA512
26e7f78ad3d228d74ea88fa6de3c57b66463e7bddf6d2c1c67d2e121d203fc263fc8a4109d4d2566f93117598392cbd54eb51b1891c1644582be38e21e6147d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe

Filesize
520KB

MD5
5dfc18e918615ab332ef987203ff3206

SHA1
8a427ac7408484f40a101971ba272225a41b7ca6

SHA256
3ded2614d3a10bc06e4e6778625c2a29c2ac9dfbb06a98f970d3fd41cebff1aa

SHA512
d59ea9bfd8dddb5bd0b93e75d0b2c6587bf90c0c6fe8357a41da90a0c5f1c6b7e2dbc3eb432af3370c5f7187d17c20d2ae49b7bf153749f4162b70bfd26bc9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe

Filesize
520KB

MD5
7418400dbee81aeac98ec889fd65fbc0

SHA1
5347cce7780cdb7e3131756426b243a5d228e5df

SHA256
193d79ecefdabf25bb1e1894861752353f7ddd56066ae6ff56f904f4ca2b65bf

SHA512
a3ad6030a985c59c6dc26b5a7112bfeefa54f66746a7f1be238729a24fb134ee25ec01140b01b58c58478dbe0709955066b485809b6ca5cdfaa6daf78f6efb1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe

Filesize
520KB

MD5
8c66c2974ca05a7483fade123f6bf3f6

SHA1
fb1271a378efd24a13de6bcb9d97ea560d0bacbd

SHA256
fa20f9b2802a0ac548553b0f7502ffae05c7ea24f31869a32a75a663593656fb

SHA512
7d901f1d850e7a1b55467a37a450083d32ec2fb45d4617b0b5cfbc6288611db1e864baa4398c01f049474a732e10ce6baa5310e034e1199333d35208c90d6f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe

Filesize
520KB

MD5
ec2ba2069aabe3dfa107f058fc1272a6

SHA1
b21b359e05dfbff85416b977f4925473eb62cd13

SHA256
21a3f9614d696b318ee1df7a3271978ac41eee4d83eadba165216069a4de24c9

SHA512
e4ad09a853b6bbcb4c0c8f43f45ee91b6a63aaeed82d3c96f312afb895a6ac234141f14e6b19fd337c7b9c188c475e9112f05d3c7c8799a7460d187210e02a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQIESXIJHPBHMAD\service.exe

Filesize
520KB

MD5
5c1ad551d12fd1558e41086a8d28540d

SHA1
761405726e5353682568d900efb926bc9282ec9e

SHA256
97b1a32a2a776db83ecc2f693db359919e12f865d7fe6c59d5f051c2623966d8

SHA512
02a4094066c5ba3d219aadf1adf55d67ccbb8e78ffdcb7cb25e4855cc1e0957bf3671d03dbfbb72e4d443d8f2affeeca14a6e6683efbf8496e30e12fd232210a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe

Filesize
520KB

MD5
d8329aa558485d1bc68a2741d630e3a2

SHA1
d852b209730acdce4d7cfba261c9dda108583c9c

SHA256
f3c8167a5f3c3c7483762f565aa8c8502ab6bdb238d80a113b7b3a32c1aab2a7

SHA512
60ce83f9c249cbc79bae8738587f53aa3a8c2277e7008299c5a5ed55cc4df0c086014c68a1287a833a66561829961f384b748dffcc41b183a5fa2d6d19388ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTIWENE\service.exe

Filesize
520KB

MD5
f1ea164c2cc7ad1921f5211d5ac93567

SHA1
a227581e0fa50f570f11fda9efba23868ed93339

SHA256
d05e8f27b6d75924080b212826e02113bc26a73f9816b69f4435664f42befa72

SHA512
72dae54cc66e1295947b603ca22a63b83f1095401c0a752e8a84fcec002fa4540affcf6426bba10aa88cb493140a4ebd4a5b3367f01986b4e48d725049b3b926

Download Submit
C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe

Filesize
520KB

MD5
49cf881f4a72764ba8d6e38eb9e0472e

SHA1
6610c4ed71122f9e886969f813c2a469feeb2285

SHA256
4e5944490863a918db2b83b1f7d6340d06d0893869cb1122f5f97a2eab45ccd0

SHA512
f1b64b2938121034664f3a38909d6890b08b8d5d460d4f2b5602548a9578e1a65f6c7796785213f2ad33cdc84ff5d9c727e7d128417b43113680f05388d2a43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe

Filesize
520KB

MD5
30752c83e071ae595d8785a5bc59cae5

SHA1
6c01ea9b2ecac91bdc39c2a1bd6395e7438169aa

SHA256
adfb8e1afacd01dad361077e8be94cf8e6cc54d4b4a1c7242bbf815f57425006

SHA512
2417059bd1e886040a4d5439950c0b5829b80a3acdb19f695565eb90146c7d44c51a0c07a642df51066f4b0d38219a42ef83f20c2036da095a2507db21672d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe

Filesize
520KB

MD5
5f518815525a4f46b3cc92c5615627fa

SHA1
a3ab46a102eba138c7d44e3b3c51487cd00dcbe6

SHA256
f4a7324e24132929877dde4ff9acbae0d8d3358fa0be1fb5ec9152f7b94b7e17

SHA512
c2a4e6dfe400003903af023ccc1c8a48380943eec6bd32b611bf9788a7e4b29e778c41d0c0039672608c5615397d1da9e2ffd3b1bb496496d05c5e706af18866

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe

Filesize
520KB

MD5
dcbee5bb65e319ac05bf029376e09a08

SHA1
03495d7a277dd6a3ba66a3a5b8fe0141f8e6abcd

SHA256
786c426dfb3b526c06ad13fe894d6658b9042952dbe6c06409aaea7c265a63d0

SHA512
60f18eb34bb9e007a521a6ca48b7430fca84f9763dc492ba4fdb6f1f944fdefe03c1397afa8e9dcedabb0a0caad5c239a30bb0b3336e9a7cfe5ec0f6e03c6c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe

Filesize
520KB

MD5
3e436b18733563aa7a6d187588151593

SHA1
68cf49b4fa7166f76269f6110e99204aa931f3ce

SHA256
4822bc0bf2070e4494e1904724713bbcca908b7f7e5ef06b7dc65e6ee8905a94

SHA512
cb7bae5b82ec552646551ca55f790637a661bdf266539a39d353813e082017ac0c0acfd976a2ef033b6f1e38e1828661c1bb62f0668634e7cdc99bd847fdc1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe

Filesize
520KB

MD5
3547da282812a5495e0341b1e1d245f1

SHA1
9fa458e8cd97693f8f0e1786d6f58ea77fa2cf0d

SHA256
11331d750a730d77ba00834c5b7b9e48d294c9b79636d5d4d4804f6911332255

SHA512
e58dd8c9c986362b2a304f9fdb722ee98afaba50160baf161db5f21bf310c288fc71ab51006ecb8724823f31225f7aad63cba6467c5d4b195a85168dd009e7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQKDIPYBBPUMUIS\service.exe

Filesize
520KB

MD5
4c3d1a2bdce3e4fc395cb88242ec83e7

SHA1
0fcd164ca90584e65a3b7e90f5d085707376b19c

SHA256
bc85437b30c7a874babbe7c446c4000acd181df11c827dfcb48e87bf735cf333

SHA512
9d5ca9448478bce5f6450ac6b7bf2469770d29fc109e781d8d2dea532545e332e42cf9dc28374fd91301722b8927f26a5aabaf8bc8701d6b6d02e4b6b57d27da

Download Submit
C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJYMT\service.exe

Filesize
520KB

MD5
6ac2593f8a12921cc02018fefd764cbc

SHA1
1fad52bb68fcdf6d7f85f3ecb5e50e648161378a

SHA256
4509be678ff13655ab9928b56a01acad156746e61cbed22e70ebb1a8744cac4a

SHA512
dcae15a3034249c9273bc5c0a5c6008f5d7ef7421c87db7698c7c96373c1c373b06bdefb1d92411500fb2e6fa71fa9f06e8324d3cee72780d2cbaebf1a0eb0dd

Download Submit
memory/1532-1195-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1532-1196-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1532-1201-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1532-1202-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1532-1204-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads