blackshades | dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4

Analysis

max time kernel
148s
max time network
139s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03/03/2025, 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe
Size

520KB
MD5

90fac165caf2ed6420d2a6ac3857170c
SHA1

9fb56c084bd4b26daaa4ae8feca5c8daba9163d7
SHA256

dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4
SHA512

be4a6ecda08d15008fd37ab554773cbfe06b7ffeba206497180f0e289749ca60cbfd93afbe8def403c8d910b74e809a4b89015430ee69f06c0491f57db9c0f8b
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXG:zW6ncoyqOp6IsTl/mXG

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 10 IoCs

resource	yara_rule
behavioral1/memory/984-906-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/984-911-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/984-912-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/984-914-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/984-915-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/984-916-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/984-917-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/984-919-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/984-920-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/984-922-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQGMEULAK\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Executes dropped EXE 36 IoCs

pid	Process
2112	service.exe
2788	service.exe
2148	service.exe
764	service.exe
2968	service.exe
1856	service.exe
1696	service.exe
580	service.exe
1908	service.exe
2752	service.exe
2672	service.exe
1340	service.exe
1784	service.exe
2072	service.exe
1344	service.exe
324	service.exe
1704	service.exe
580	service.exe
2324	service.exe
2200	service.exe
1240	service.exe
1916	service.exe
1980	service.exe
2384	service.exe
1080	service.exe
2228	service.exe
3064	service.exe
2844	service.exe
2988	service.exe
624	service.exe
1312	service.exe
1220	service.exe
1784	service.exe
2248	service.exe
1532	service.exe
984	service.exe

Loads dropped DLL 64 IoCs

pid	Process
2028	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe
2028	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe
2112	service.exe
2112	service.exe
2788	service.exe
2788	service.exe
2148	service.exe
2148	service.exe
764	service.exe
764	service.exe
2968	service.exe
2968	service.exe
1856	service.exe
1856	service.exe
1696	service.exe
1696	service.exe
580	service.exe
580	service.exe
1908	service.exe
1908	service.exe
2752	service.exe
2752	service.exe
2672	service.exe
2672	service.exe
1340	service.exe
1340	service.exe
1784	service.exe
1784	service.exe
2072	service.exe
2072	service.exe
1344	service.exe
1344	service.exe
324	service.exe
324	service.exe
1704	service.exe
1704	service.exe
580	service.exe
580	service.exe
2324	service.exe
2324	service.exe
2200	service.exe
2200	service.exe
1240	service.exe
1240	service.exe
1916	service.exe
1916	service.exe
1980	service.exe
1980	service.exe
2384	service.exe
2384	service.exe
1080	service.exe
1080	service.exe
2228	service.exe
2228	service.exe
3064	service.exe
3064	service.exe
2844	service.exe
2844	service.exe
2988	service.exe
2988	service.exe
624	service.exe
624	service.exe
1312	service.exe
1312	service.exe

Adds Run key to start application 2 TTPs 35 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\CFRSNLODRYHTYIU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRUXWYKOTABGES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPCYKEJYWGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQUSVGKQDAPXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\FUUHJECEUIPKOLX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBWXLQVCDAIB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDDFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWDMDX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEDQHUQOTFTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOULTHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVTRVJMIGXVLLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQGMEULAK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\NROCOWCUYTQRDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMIXLSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQSNLNDRYHSXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBULLJRDKO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\TXUIUFEIWXJPWWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRQSNLSODRYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\OLLWTRVQYMNAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTIHIECJEUHPJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\FERHVRPUGAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEJBSJIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\QMKMCQXGRWHTEDH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUPSWUXINSFCRQE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOJIKANVEPUERCB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRVHIFOAGLB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBNWBUYTPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKKLGELHXKRB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\XTRVQYNOAGNNWSR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSOJEDTURAA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\HGRONREIECSYQHH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPOQLJQLBPWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\JWDMWUEALFGWPST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPIOVGHAUBRNYOK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\CTKITRPUHLHEVTJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGGHCAHDYTGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\ABWSNBWIXCHXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYOSQTEJOBNVN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\SJSPKTEUETURAMS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBNWBTXSPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKKLGELHXKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\PKILAOVEQUFRCBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDSWIJGOAHLCN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\WTSWKANJHXWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTJDBIRHNEVMBLB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\SECGBJUWRPRHVCL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYOPNVHO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\QOSNVJKDKKTOXOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFXOLFAPQNWIOT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\CAEHSTPNPFSAJAU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWMNKTFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUCDOULJNIQEFYW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAAVBRMHBGV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\LTLAUQLUGVAFVWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLBLFDGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\VJKGEGWJRALQANY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLUDXNSXDEBKCHW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAJXTRBWIBVYCT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERWOWKVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\CEYUPDYKEJXGRYO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESOQUSVGLQDAPXP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\VIKFDFVJQLPAMYU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NJXVLWPNQBGLYKS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\XUTXKAOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSIOFWNBMC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\KUQLUGVAFUVTCNT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOJYWMWQORCHMLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\IMJJVRPTOWKMELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHCXSGN\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2612	reg.exe
908	reg.exe
1588	reg.exe
324	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	984	service.exe
Token: SeCreateTokenPrivilege	984	service.exe
Token: SeAssignPrimaryTokenPrivilege	984	service.exe
Token: SeLockMemoryPrivilege	984	service.exe
Token: SeIncreaseQuotaPrivilege	984	service.exe
Token: SeMachineAccountPrivilege	984	service.exe
Token: SeTcbPrivilege	984	service.exe
Token: SeSecurityPrivilege	984	service.exe
Token: SeTakeOwnershipPrivilege	984	service.exe
Token: SeLoadDriverPrivilege	984	service.exe
Token: SeSystemProfilePrivilege	984	service.exe
Token: SeSystemtimePrivilege	984	service.exe
Token: SeProfSingleProcessPrivilege	984	service.exe
Token: SeIncBasePriorityPrivilege	984	service.exe
Token: SeCreatePagefilePrivilege	984	service.exe
Token: SeCreatePermanentPrivilege	984	service.exe
Token: SeBackupPrivilege	984	service.exe
Token: SeRestorePrivilege	984	service.exe
Token: SeShutdownPrivilege	984	service.exe
Token: SeDebugPrivilege	984	service.exe
Token: SeAuditPrivilege	984	service.exe
Token: SeSystemEnvironmentPrivilege	984	service.exe
Token: SeChangeNotifyPrivilege	984	service.exe
Token: SeRemoteShutdownPrivilege	984	service.exe
Token: SeUndockPrivilege	984	service.exe
Token: SeSyncAgentPrivilege	984	service.exe
Token: SeEnableDelegationPrivilege	984	service.exe
Token: SeManageVolumePrivilege	984	service.exe
Token: SeImpersonatePrivilege	984	service.exe
Token: SeCreateGlobalPrivilege	984	service.exe
Token: 31	984	service.exe
Token: 32	984	service.exe
Token: 33	984	service.exe
Token: 34	984	service.exe
Token: 35	984	service.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
2028	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe
2112	service.exe
2788	service.exe
2148	service.exe
764	service.exe
2968	service.exe
1856	service.exe
1696	service.exe
580	service.exe
1908	service.exe
2752	service.exe
2672	service.exe
1340	service.exe
1784	service.exe
2072	service.exe
1344	service.exe
324	service.exe
1704	service.exe
580	service.exe
2324	service.exe
2200	service.exe
1240	service.exe
1916	service.exe
1980	service.exe
2384	service.exe
1080	service.exe
2228	service.exe
3064	service.exe
2844	service.exe
2988	service.exe
624	service.exe
1312	service.exe
1220	service.exe
1784	service.exe
2248	service.exe
1532	service.exe
984	service.exe
984	service.exe
984	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2340	2028	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe	30
PID 2028 wrote to memory of 2340	2028	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe	30
PID 2028 wrote to memory of 2340	2028	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe	30
PID 2028 wrote to memory of 2340	2028	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe	30
PID 2340 wrote to memory of 2364	2340	cmd.exe	32
PID 2340 wrote to memory of 2364	2340	cmd.exe	32
PID 2340 wrote to memory of 2364	2340	cmd.exe	32
PID 2340 wrote to memory of 2364	2340	cmd.exe	32
PID 2028 wrote to memory of 2112	2028	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe	33
PID 2028 wrote to memory of 2112	2028	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe	33
PID 2028 wrote to memory of 2112	2028	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe	33
PID 2028 wrote to memory of 2112	2028	dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe	33
PID 2112 wrote to memory of 2868	2112	service.exe	34
PID 2112 wrote to memory of 2868	2112	service.exe	34
PID 2112 wrote to memory of 2868	2112	service.exe	34
PID 2112 wrote to memory of 2868	2112	service.exe	34
PID 2868 wrote to memory of 2752	2868	cmd.exe	36
PID 2868 wrote to memory of 2752	2868	cmd.exe	36
PID 2868 wrote to memory of 2752	2868	cmd.exe	36
PID 2868 wrote to memory of 2752	2868	cmd.exe	36
PID 2112 wrote to memory of 2788	2112	service.exe	37
PID 2112 wrote to memory of 2788	2112	service.exe	37
PID 2112 wrote to memory of 2788	2112	service.exe	37
PID 2112 wrote to memory of 2788	2112	service.exe	37
PID 2788 wrote to memory of 2632	2788	service.exe	38
PID 2788 wrote to memory of 2632	2788	service.exe	38
PID 2788 wrote to memory of 2632	2788	service.exe	38
PID 2788 wrote to memory of 2632	2788	service.exe	38
PID 2632 wrote to memory of 2700	2632	cmd.exe	40
PID 2632 wrote to memory of 2700	2632	cmd.exe	40
PID 2632 wrote to memory of 2700	2632	cmd.exe	40
PID 2632 wrote to memory of 2700	2632	cmd.exe	40
PID 2788 wrote to memory of 2148	2788	service.exe	41
PID 2788 wrote to memory of 2148	2788	service.exe	41
PID 2788 wrote to memory of 2148	2788	service.exe	41
PID 2788 wrote to memory of 2148	2788	service.exe	41
PID 2148 wrote to memory of 1156	2148	service.exe	42
PID 2148 wrote to memory of 1156	2148	service.exe	42
PID 2148 wrote to memory of 1156	2148	service.exe	42
PID 2148 wrote to memory of 1156	2148	service.exe	42
PID 1156 wrote to memory of 320	1156	cmd.exe	44
PID 1156 wrote to memory of 320	1156	cmd.exe	44
PID 1156 wrote to memory of 320	1156	cmd.exe	44
PID 1156 wrote to memory of 320	1156	cmd.exe	44
PID 2148 wrote to memory of 764	2148	service.exe	45
PID 2148 wrote to memory of 764	2148	service.exe	45
PID 2148 wrote to memory of 764	2148	service.exe	45
PID 2148 wrote to memory of 764	2148	service.exe	45
PID 764 wrote to memory of 1804	764	service.exe	46
PID 764 wrote to memory of 1804	764	service.exe	46
PID 764 wrote to memory of 1804	764	service.exe	46
PID 764 wrote to memory of 1804	764	service.exe	46
PID 1804 wrote to memory of 1812	1804	cmd.exe	48
PID 1804 wrote to memory of 1812	1804	cmd.exe	48
PID 1804 wrote to memory of 1812	1804	cmd.exe	48
PID 1804 wrote to memory of 1812	1804	cmd.exe	48
PID 764 wrote to memory of 2968	764	service.exe	49
PID 764 wrote to memory of 2968	764	service.exe	49
PID 764 wrote to memory of 2968	764	service.exe	49
PID 764 wrote to memory of 2968	764	service.exe	49
PID 2968 wrote to memory of 2292	2968	service.exe	50
PID 2968 wrote to memory of 2292	2968	service.exe	50
PID 2968 wrote to memory of 2292	2968	service.exe	50
PID 2968 wrote to memory of 2292	2968	service.exe	50

C:\Users\Admin\AppData\Local\Temp\dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe
"C:\Users\Admin\AppData\Local\Temp\dfd60f1545c76bda5f275518b80cca6e6af2f845a5fbd733ae73848cece938b4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempJLGCE.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CTKITRPUHLHEVTJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2364
- C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe
  "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempYKIMH.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KUQLUGVAFUVTCNT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2752
- - C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe
    "C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempPWMKO.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ABWSNBWIXCHXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe
      "C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQBVUJ.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1156
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NROCOWCUYTQRDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:320
    - - C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:764
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVBTXS.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VJKGEGWJRALQANY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1812
      - C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXJGLG.bat" "
        7⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SJSPKTEUETURAMS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBNWBUYTPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRB\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRB\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCWAMY.bat" "
        9⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SECGBJUWRPRHVCL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMPQVC.bat" "
        10⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTRBWIBVYCT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFEIWW.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CFRSNLODRYHTYIU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGPCXB.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XTRVQYNOAGNNWSR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "
        13⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLWTRVQYMNAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQYBUU.bat" "
        14⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBNWBTXSPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMXVUY.bat" "
        15⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QOSNVJKDKKTOXOD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAPQNWIOT\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\FNFXOLFAPQNWIOT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAPQNWIOT\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMQLTH.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CEYUPDYKEJXGRYO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYKEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "
        18⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSTPNPFSAJAU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
        19⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IMJJVRPTOWKMELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJEABL.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HGRONREIECSYQHH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQLBPWF\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQLBPWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQLBPWF\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTRVQY.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FUUHJECEUIPKOLX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFFYOJ.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUCDOULJNIQEFYW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYFGDL.bat" "
        24⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWUEALFGWPST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempASWRN.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VIKFDFVJQLPAMYU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXWTTT.bat" "
        26⤵
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKILAOVEQUFRCBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
        27⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQSNLNDRYHSXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBULLJRDKO\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\BJASKGBULLJRDKO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJASKGBULLJRDKO\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDDFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWDMDX\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWDMDX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWDMDX\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCFGQL.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTSWKANJHXWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNEVMBLB\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNEVMBLB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNEVMBLB\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYUVVA.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QMKMCQXGRWHTEDH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKAOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFXWST.bat" "
        32⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJIKANVEPUERCB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempACPYL.bat" "
        33⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TXUIUFEIWXJPWWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe" /f
        34⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMNWSA.bat" "
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQHUQOTFTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCNUYK.bat" "
        35⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LTLAUQLUGVAFVWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLBLFDGWSTBP\service.exe" /f
        36⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\DUNTLBLFDGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNTLBLFDGWSTBP\service.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBEFPL.bat" "
        36⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVTRVJMIGXVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        39⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe:*:Enabled:Windows Messanger" /f
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe:*:Enabled:Windows Messanger" /f
        39⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        39⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        39⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempACPYL.bat

Filesize
163B

MD5
adc9cac2427b8d4c731806d76ce77981

SHA1
0a8f79b1d799052be679f429e28c8ec61fbd4f99

SHA256
7cf13c1dff247593daa4667e2446ea1b686cf218a3b470fa8ead51d5eca0cdb2

SHA512
d083bbd4d449dde8fd966bd20b8ea4621763442de52188b016d55df3ded396a16d1b921e7278e80043cb741d81b7f2fc26ea9842d22ea5acb8cf635d4da3b5be

Download Submit
C:\Users\Admin\AppData\Local\TempASWRN.bat

Filesize
163B

MD5
44f5f11a48ce72424b5514e31414e487

SHA1
dd83455b4fb4be79e75238ea5318f4cc5ac12068

SHA256
fefd588a6e065d8b47b954e555782d7af077835c3b4a438daea79b9f7e419d03

SHA512
ed94fcb9772aa0befa64b304f3f8054accb3cfbb0d21290e3ebccfab0a4161b876ce2f6e2fc9e3b9c59aedeaf84cec1fa1aba1ab3e20981f37463ff08a3560f0

Download Submit
C:\Users\Admin\AppData\Local\TempBEFPL.bat

Filesize
163B

MD5
a6a9fe7d8be45323bf05068f5b2686ed

SHA1
528bf4a9b252731a33830cf76ec4f0d2134f7f9c

SHA256
02067c989143b747fe4702df88a33cd934c4da2e33ebe9485da92a01353b3073

SHA512
316b2140e4bcb3478e20c539e0e31ba53eb586fb51c251f7f01793827b539367c24022c58bd3d50db966d8780619f076b1387dc41b2093f58784f093907b0c77

Download Submit
C:\Users\Admin\AppData\Local\TempCFGQL.bat

Filesize
163B

MD5
1b8023e1ea753567fb4340062f8491ef

SHA1
f53c5f3f92b590bab7f4eb44402058f0a4a82ccc

SHA256
44164cfb43b4b87bcd1fe90c5f58e7cb21aec3f8c218edc88e87414678e6ab77

SHA512
127de1ebaee5db87d12ddc734f5c9e145d8e0ff1fbc6041b111639bdc18cca0423511faf76fea312b27ecf4c2f4a6421c1973eec31ba608a78b0c95bb3635330

Download Submit
C:\Users\Admin\AppData\Local\TempCNUYK.bat

Filesize
163B

MD5
b7ab8d1b68bf40d800b8fa32c59526f9

SHA1
9320f30dab7f4ca5bdaeeb2bfb1a2c0cf0e0e8f2

SHA256
d8c35aaecc89a461f0fe3021f38fee89187837a21e3eaec261b76553c0a15c59

SHA512
43790bb3a0df38183fc2da28a8ad117ee4c3472adde950a5c72ba088805180af4526fbeefba9608106d780689c891df00da0423b11b53b4506f655ab4a5ad665

Download Submit
C:\Users\Admin\AppData\Local\TempCWAMY.bat

Filesize
163B

MD5
4c96b962cbc6c9b0aaa19b48ced66cd7

SHA1
da2c727f79362c6a6f435674c9006d0df360e8a9

SHA256
04d3cce2223ec9dc79687e2ba001e5e15166a88a167208c412ff772e7b2fe048

SHA512
99544fe0379af5b290701c8b10476bdb37ec09d72eab7f05d79150e9a94f5131a27724cddfa1899c93c09ba051548d20da2908a4c91b62a1d11f48d4ec4d9df0

Download Submit
C:\Users\Admin\AppData\Local\TempDGHQM.bat

Filesize
163B

MD5
0a642b13e305d30ca155412d35b152af

SHA1
781496d9955791faa48807abc37e66baaf0169f5

SHA256
1da282d9ea78c8ceacef47f322ce5a859f7514d84cb168119c85ef6bc174f797

SHA512
de8b280b6b40187615fdf3ab82d65a639c3e42251508328f6559a93b0e6c4a1b9b37b156b10f38c7dd068213d3dbe2871b1ff73670f056531fa4f76648df8578

Download Submit
C:\Users\Admin\AppData\Local\TempFEIWW.bat

Filesize
163B

MD5
fc4851246ddcf9e8ebbbe92cb9246b26

SHA1
46e4b86cfd550013e5fbf1f2bcb1fcfebcd8afa4

SHA256
3017b05602ef3da3c6c51303f2ffd13e3dea46addf6a36111aafef56ea4ad3ae

SHA512
bcb1e1ebfb81d8bf2925b572cad318b35ca22fa0e50b750a60c859717820e7179cca1c1ed8f38fdd9f13d1348af4ab752703b0255ae73befb0aad70dbe210eba

Download Submit
C:\Users\Admin\AppData\Local\TempFFYOJ.bat

Filesize
163B

MD5
8b090728fee03de443e08a7b37f627d3

SHA1
3f8d656f7326f408eb6e084f5ace832fa600d130

SHA256
6f121e5f028070a332505d8b0f660c29f7965d2e55194775ef573df9ef0c3865

SHA512
68f0bc3fde3acbfa300a2702e8cce74600557b326d6db2ef794af6abfa2f376bbd2e0e2f9eac37f8e0518bf302de7bf6d1c9a09142ae13240cacacd9c6262d79

Download Submit
C:\Users\Admin\AppData\Local\TempFXWST.bat

Filesize
163B

MD5
3869b6196cc2d9dc34115f8db8b3bcfc

SHA1
c68a754ac44aa81b5036da07830c139effaa3e95

SHA256
9875e32ed04bf1f6351dfdfc6f9db0a49f78d0208235abc8607b66a5afcfe151

SHA512
6a5324d5b8bf3d5ed1b37802e83a337854a5779541fb3aa71ee53a5e6fc6199c570a632092d211bc32066dbea36f9b3c46430f3909c178f83afdc655891a7b49

Download Submit
C:\Users\Admin\AppData\Local\TempGPCXB.bat

Filesize
163B

MD5
c0d97d1d12277bb27029eb7f00382d5c

SHA1
b03bc7e16c4b7f63f89b5c860126a3247d137377

SHA256
b0bebe59d4c70b648b3cc5befcb7df3f2a06ce50883173a13a199b50c094b8ce

SHA512
552a2c9b4ce1392441ac93d8c83e890eea9b620fc6f35dab363b18389580b78e5c8ec69ed46935b1626bc7e21227aa1d51e1a8bbd2326279bf3156d768274250

Download Submit
C:\Users\Admin\AppData\Local\TempGUCQP.bat

Filesize
163B

MD5
97e359d213fcb51913df3a876212a8aa

SHA1
53b7761ec8034d5a4003399450bf5f0a914068df

SHA256
45e426550bb39ff1bf172a2f66c9a791cf6c0f50175ebca2fed424dc7d69cbb9

SHA512
eeed7664ae96fcce096a66e448eba7d37058034567b022c46b6bf4a639882144ba838d41abd8d562cd90040425df64f9d62e3cde0a033660d6ca179d727d4395

Download Submit
C:\Users\Admin\AppData\Local\TempJEABL.bat

Filesize
163B

MD5
20c81c4ef9fe0501edefaf2d8e31e688

SHA1
e9853d32334c48516a6e52e4a627ed0054265b2d

SHA256
3a5248a148ee0dcf63425f811f1d8315bebacebf6bd127b5ddff0432be17680a

SHA512
f891ccc719a918395f221d93ad2243b77699c21da2df7394bc1b339736ffdfa076f4e41fd75470f98e7ee0c3c5d19a168fd5894084ea92a885b69c3903ac9f2a

Download Submit
C:\Users\Admin\AppData\Local\TempJLGCE.bat

Filesize
163B

MD5
371015353efa2f95cf4c6e138570e233

SHA1
65581aa2eb90f5cb6227cb7d44f613c9bbffa6ff

SHA256
65feb910200148d4d4e313f5c1fc17b9c56423cd1145b141490536a7bd5a9b1c

SHA512
b618eb43019db76ebf3ecdb55c42f056a059502ea6ce86a68e3708593a6da22ec2b1f02a7a250b561cdd43859d5d606d7bf3fdb7cae5278a19add3708c00e96e

Download Submit
C:\Users\Admin\AppData\Local\TempKWHGK.bat

Filesize
163B

MD5
cd7b73ecdab64dfabaa705c8175aa245

SHA1
f28fb8fca424755a0dbd828c77c6d0e583b9fdbf

SHA256
3c9928829d3e5d2b03d80be1301e08e77f42dbd1247665728c0751931459099e

SHA512
bdef52704c32326b0e08a96e910a650a3ee5c5e1ec956aa839bf49bbd0227d87fa540c466686a9616a0cd4e0e7ec55fded3efb66719ca6acf9fd9584e57f489d

Download Submit
C:\Users\Admin\AppData\Local\TempMNWSA.bat

Filesize
163B

MD5
a4d004ad29d3b8175a96f922359cc315

SHA1
0fa15cba7e806e78247ff7a5a5aef1172dbeed47

SHA256
3e67df9708b257edbe5dc59a43ca15b93a69924b932332eb540da0ef422b729c

SHA512
81259fbf60b4f0153dbcd04484d0ad28ab3fecce6d4945a3a72b8535d6d120b20ceea5d1be9bbf32c5f35c1e7ca97cff84ecde6f288ebd29019b98f1783af423

Download Submit
C:\Users\Admin\AppData\Local\TempMPQVC.bat

Filesize
163B

MD5
a1a8ad5b6a584f434583f122ed1507ca

SHA1
e0d5dfe6b6bf1da3261fd1aa876f646d5c025c6a

SHA256
5e95c507b42243e7f72deeabd78a9f9a84f517cdb106a38f35b168ee71bb21a0

SHA512
049e6f0ff2e3d27171eb54fab8e7baee9a284845a4b8a21211141920fe679aa82d8e42e3b1ba4e3573ac1f5aa0e4a2109fd4fc7f98b83e6599c105e9ef933ed6

Download Submit
C:\Users\Admin\AppData\Local\TempMQLTH.bat

Filesize
163B

MD5
3282b639117dad270092e8770d4794c6

SHA1
a063eb69a05d09ca7dd3f344a41ee7ada7a7cecd

SHA256
bab0702ba8bd7f75d68b906790e40aef0c3d7dd5f2aa3b7bbe7699a97d370d26

SHA512
5e07f6d863fc71b58006f729467be3462c926e9b19cd9057730d2408712a9a52ae97744452072a8c3ff27d0a8d4ded043a219b932cb5fe931e81b99f4ca0dcc8

Download Submit
C:\Users\Admin\AppData\Local\TempMXVUY.bat

Filesize
163B

MD5
aea833efb2a2b4b15a4b4f1758544b92

SHA1
2f53fc4aab67e1f5b54b7d84dea0713e88d18a16

SHA256
9b91b1889eaa4726090374bbe92e281d8f4c7054746fb0e80c4da9bd7e454aec

SHA512
df0d570297bf1e6062cab113bc1209071d68ae45cfad407c3fde837d0a96ca32bbd156edf5e14180fc92acad86c2deec74088643a3b533de62fba3649191dff2

Download Submit
C:\Users\Admin\AppData\Local\TempNOXTA.bat

Filesize
163B

MD5
6d3d8234a6f0c044c98e8a6706850180

SHA1
cec6bf964e5aa8ee5f7de8ddc0f7c33d78ca7f9b

SHA256
8d02e2d7823269e690522828eb65bf3c7ce77abda1b0366660a7fe62444fab93

SHA512
8ae8572a5b70fd0e01baf25756c2fe770a8de219e9d75f934d778fd90aa87881eef181484af0a16c651f9bfb684a25a8f14c7e270d6a0d5acde34934d2dff191

Download Submit
C:\Users\Admin\AppData\Local\TempOMQLT.bat

Filesize
163B

MD5
5eb9108f067adcf608d833883e3a07f2

SHA1
e650d4150cfe98abda68db69d44ca5be8db039e9

SHA256
034166308c5ecf920f9528df3e6360e277479d497e1c01504226893f1d3fb97c

SHA512
d1fede2b3bb65ddf402b09de31213adafbb9ab1800d7e97fe855682e64aad93dc29a7de29a244ab200a52b7da3984050ddd6ec010ebe33cf12faea7c39a7f5d8

Download Submit
C:\Users\Admin\AppData\Local\TempPWMKO.bat

Filesize
163B

MD5
c9bf84e720372540c21b65cb6be19304

SHA1
19bcaffd4f37704a8106d311b8ecf2cda389a5c2

SHA256
009ae9d879cf48e9730d02066205eebe79e409260ac27e1e2233f30b39d150b4

SHA512
895ffa791cec5d0cfe88d335cfadaaf57f95d22f1c3671762626dd397d3302e9b7ff5c45c28b68b36431b23a194c3e8bb78a43c82dddd9fb47dfbbb53fbce04d

Download Submit
C:\Users\Admin\AppData\Local\TempQBUUJ.bat

Filesize
163B

MD5
bc29324e752e496890f590a0687246da

SHA1
4712ee433a672e9868710d467ddcaddfcb123705

SHA256
95c405584e94f0c2505e8983151d0adb5861ab9f18fbf5880d56a6c544bb7852

SHA512
43e783a4b97a33de0393f525a64a2f84bbad571a22573b6597e7a5a03668761dca5aa62439ace7de7b790543e90f210c5f7f17f2b5fd6d775d652f2440f7b957

Download Submit
C:\Users\Admin\AppData\Local\TempQBVUJ.bat

Filesize
163B

MD5
4312a181e4cdda08330c6bf80067acb4

SHA1
f9f90def514dcd98d07c8a93080f0aa21a5ede05

SHA256
1ac8ea8a829ff31007b7d7c33e1f686d875f8e759c346b465c5bebb520b3d095

SHA512
310c6647c0939bd1fc546910ec36aa01602ce39220538920e8086580577088611fca4b8bce8c7ddfb35984560504b1f0618c4d028aa25a5e582967a038de9f67

Download Submit
C:\Users\Admin\AppData\Local\TempQYBUU.bat

Filesize
163B

MD5
91109f752d555e3b0a4fa5c910acd8d2

SHA1
0fa720f6b36860c79a92f2fc2fccf5e9c90561b7

SHA256
c5e81986269650788a5c8cbf355723eb92a6987915d658111604d3b973378106

SHA512
6a02fbba4c8b2220359c77c78469aff0fe38b703d0e38d2078bea8dc2160ab12afaa7064092a02e5444f27529015adbbe925567e8321c385533b6190d1677abf

Download Submit
C:\Users\Admin\AppData\Local\TempTRVQY.bat

Filesize
163B

MD5
cc2281b5290761dd2186c3350cc6f4a4

SHA1
17624a63b7d755f01bbbfe2898ad67b1d2a1a24f

SHA256
f03902729551f314f17f2ebd714aa5f186553d3c0f666017dbebd151cd4fc2c5

SHA512
444e26b2253d5bfe51b3d12faab6d56ab5fbcad19333b9a5c6e0ab645af918df3f789a32816ee438bebba76357c0df4dfb969d7f9fa9adcac29c49307f1991b2

Download Submit
C:\Users\Admin\AppData\Local\TempUFEIV.bat

Filesize
163B

MD5
e801d454bb705b69e1efd1bedc2329e3

SHA1
84091aeccef7f181fe4962a7ee4b7770add66a98

SHA256
e65e7921c9c60dc183340e13e770e2a5d41c6ebea39361f7a5bf7023c174a2fa

SHA512
a94db39f5bd02fddb589f92ae8753eb192750a90f6b46ae510084a22872d7784ceef63a8c53fef29cccdc3e05408beafa6a8f0dccad5947447e6cb8b17981167

Download Submit
C:\Users\Admin\AppData\Local\TempUQYPE.bat

Filesize
163B

MD5
bbe5f152b4f3e3d5ef9931d5cd8d0fee

SHA1
5211e43dc2141d5760599ff6ff543bf75cf64a57

SHA256
6891da7dc2d09c62f86c43a3fac820a9d119fb92e6a31547cbd02785a46ece9c

SHA512
d434ae818450ebc09541f35981b839cca71d8a9f6d2947cc1b81b4bc58c9c5c4948502017e1cfa03a7a9c024fe644353a88d77ebcf66e5280169682e0d2aa3c2

Download Submit
C:\Users\Admin\AppData\Local\TempVBTXS.bat

Filesize
163B

MD5
f286a997dafd3f45392758cd25adb9c7

SHA1
dd9863ba8a55910f95341ac38268e7bbd6c27330

SHA256
5e6541f54dfab8ef75e8af742526b73008d832be582cac12e866c730228ecfc1

SHA512
68071827c9ea291a46a5931c8a87d56a0e1122b46b420173919c818bd47ce3caa4a273b161301890cc48fba61b5867a8461cffe2ad7edd796a808d8238e3355d

Download Submit
C:\Users\Admin\AppData\Local\TempWSRGP.bat

Filesize
163B

MD5
035f1c7ed9b27d9073d73906455a2fa7

SHA1
b6edffed330d3b9db173f4f7ab44438b8de0f0e8

SHA256
086f99f1b6aa48c8e62a088b99ec7a6ae9334ee35ecbac29cd73903cbda438c5

SHA512
838ebc31f4c26a0dbdc9ac895fdfefe7f1ee0e5674c75e7087c52e01ae1b45a1271e1149c24353bd036b49dd8b319328779e701370de2941b276241eb7710d8e

Download Submit
C:\Users\Admin\AppData\Local\TempXJGLG.bat

Filesize
163B

MD5
f6c6a403a39749222bb69c6861d6e00e

SHA1
929cdf17c595d7dd4ae3dcc73744d40fb0916469

SHA256
fa980b6510eb003301bbbbf3041d09df1c00ece88db792be56ef83183710eb4c

SHA512
9244c30fdf053377ce4133f14e9d1f794f01121a13e62551cf80f90f2dddf884b2713466cb235cd1cad2cee1fde843df5b9a5499aef76ad61c2c20db81f0f6fa

Download Submit
C:\Users\Admin\AppData\Local\TempXWTTT.bat

Filesize
163B

MD5
601e13abe3a7c6c4ba9ec5974385f941

SHA1
11d3359c26ba1b2a30ac5fd86771641fd3480c35

SHA256
e6914e4e8ff8bbdbb6bcd169d24885e364f75ffcfbe5e0bebd345d55a50e0f38

SHA512
9b2f07abe4efa44cb181f5b6c6f80a2e52c0cc536d38d4ba77ce0b98fb6b4d78adf2c5247fdbff966aef67bdfb67805cb9862e5eb36cde513d4e666ab4eb9572

Download Submit
C:\Users\Admin\AppData\Local\TempYFGDL.bat

Filesize
163B

MD5
ae2b80ec322acc6a3a92946b6017b9b2

SHA1
df6d13bde6c449353f44fef2a2ee64117504e7b8

SHA256
40baf497022d6b4a4b5aab79809cfe0e6cc012491fabd0beff85cf55ee2495cf

SHA512
ea3175e8f20c417250ebc64d9ba7ff6f9092ea1cfcc598a93f2a58de8329d98c649d47bf2a8b4a85a834d9fe222e56f993b245cd9a89cac10a8cad028b9200f0

Download Submit
C:\Users\Admin\AppData\Local\TempYKIMH.bat

Filesize
163B

MD5
ffc855aff102d74ae673fe8eac8c2e70

SHA1
d68a015334a2510a13d74d7d7391d88fccc0a141

SHA256
eb798d686427248292fb0d88fdd4d552666ff67f5e040f078cca0cd33485cbf0

SHA512
1f257e4af2b78838845681020a1f8e91cdac1889f4b87fcd68b8cceeb115873ded4d32bdb6db3eefb94c8f8422be3f45d018db558bb003cb09815c35f0aa8d44

Download Submit
C:\Users\Admin\AppData\Local\TempYUVVA.bat

Filesize
163B

MD5
795bcbc2cd5758561c8d3aadd45bbc5e

SHA1
3655b44c026453758f8c2f32aa4eef1fa251edb6

SHA256
442c6366478b809ffa4ed592674fa3f058a2e251e130695a779b921f88eff1b1

SHA512
965afc16f37861ad395c0f66b4cec9d808179386a4fd2d8e0893c0aef05d75fd6d07123acc0212e4d120f4a7c09eff8894385eb7c63021f86496b8082df54475

Download Submit
C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe

Filesize
520KB

MD5
2f22812a29bd5b022ae07c8949cf8c06

SHA1
c53712d05d9fd7d90dc5c6092b750c04d15e23b1

SHA256
56656179333efc8351a853326e9e0b42b43e373d90e742a7171d0f163f557482

SHA512
6b4a3c362c7e561ad48bc939e83ce38038937e6eb032ef57aad333b4d8b151803f5a83e8a91821a404ec1d78ef8424d93ef07515d6de1ecfbc4608b74726a65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe

Filesize
520KB

MD5
70f89b5e06ac6387edb6ed349a3a56c8

SHA1
a252267cc45389f4ff2dfbd6d4671fe890c7d39d

SHA256
b45a82bf33dbc6976ed6e7aeb2980d7616565d36327fa2634a21ed80cb632eff

SHA512
0592bbbd228bca231dddf649af1c0fa4b65d87d5be36419bc74dc335b5f7582ef117a8058e92a8bff387ab51af9129851db356cb6f78b967648abb2688c02430

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRB\service.exe

Filesize
520KB

MD5
15a90020023fc7b9dfe4b1135d6c7228

SHA1
04b157ceceb2baf73d3049c9d439261fbc834365

SHA256
b995ba29109c0504bbc97d7ac8739182e3c7ee140f513a0979820ffba7f49315

SHA512
a9948480ad42995a642a6bf1ec564eb0d6b15119af9dd6b9f11295283a3f5207c04c9c1b354bd95c0f3bce474f9e8c79db60a2b29e364ed76cb269e2ff784d1b

Download Submit
\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe

Filesize
520KB

MD5
c7e6a875d42686236a7068b5396b8f77

SHA1
a5cfe688eb34afd523e9e73e475c49cfb73ff0d9

SHA256
da1434237ee6aaebf7e970da9c548d7f669ec8f6f93d5e36fe46691d25dac877

SHA512
099c6f253375734295c636e71507024cd4bb6465fb549764e1df713e8a5e6f979716515a2cee13dda7f452e803b74ac2218b6b7cb824aef12c1fcc589f0694ea

Download Submit
\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe

Filesize
520KB

MD5
a3445ce775ebd11da3b88360162a5aa3

SHA1
f5c5ec3be1ae4487fb7d3ae8adfb4d5f50d577e5

SHA256
851360e33ddec1438221d9e1fc9784816620cba511ebce404bfacf75df34d419

SHA512
66e1c3eaf19cb1bc8afe4d38bff90fc817ae006e4a2f4aa2c4f15d703ecfc5428fa3ac3bb430b155f4b6ae7d8ff158f92f47ec189b3604bed4ac6e3b8e1b910f

Download Submit
\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe

Filesize
520KB

MD5
676876641ccecdde8059829a9745e571

SHA1
71d334889a6c59d05f5f6ef3aaa4711431aa8a5e

SHA256
8ab162fc8cc999e1b7c85ed374317ed975abed0f629ff90facc2e9894e2c7a5a

SHA512
1f5c6d3ad90cc1afcace2d6b1eac1a0d97f2d2aa334f1d402a261bbcd367ad2329cad5e06444de5ae73cd0cc5267708d1de35f5d2940231160a2b608687cff3c

Download Submit
\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe

Filesize
520KB

MD5
f5554c9110408d4b0f268ad8f737f9d8

SHA1
0f518b16985270766cbc382aba5d08a29d2a5d15

SHA256
a0959202a1ac89873fa72f61c87f1cc5b8b77b3726158c50f7014f09c0caa5d6

SHA512
903875e766872061147b285b74818242dbcde547af3aa90fe959e3340e0c4ec90c6291d3c9447fe7535410c2f69f6d3b4f4d1ec14303dcfb2c55118f820c400d

Download Submit
\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe

Filesize
520KB

MD5
504b02f907acc85d18e5e3046e5a9c78

SHA1
e4eca790e1d0f907f541191cca14d91f3441f5a5

SHA256
0af932fb6285576733b0b1d101475e95fba64ca85907ca27c4986313a13c4c08

SHA512
8b3245966c2a466da61c75bdf6966b0794bb25ec347d33cfa8d019658b89b17f79998f0f7232a7c8b79398089a0f259a807a38a544cf8c1205dfa9c3a5f84623

Download Submit
\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe

Filesize
520KB

MD5
9894cbc622f8791c8883384ceea630be

SHA1
c6e2af7b363649e0799903e99dc7b79728cbee81

SHA256
867d3bfc5702dd03ac53e04751752c11188d67a346097ff6133ec3bce2056af6

SHA512
ba7b6a3e3511ce4099209a4a8de36247dce3cff20f87a1aead3ca424d3dfe6630798dfd04e4d6c2254b7563e344d6b72eb3bf2114d3442c230e1fd5d67b2e1c7

Download Submit
\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe

Filesize
520KB

MD5
79d260b5294a10b78f41a511302d9988

SHA1
e0c3081521882e2803741881780c764077042c1f

SHA256
0bd4c57d169b0506f707b5f9699f39068346bd042f78de9068929f6f5cd447f2

SHA512
f753b53c5f72716e987224081f5d273423e4e5b7fd50d6c2ea89a36666da0147ad946c29edd9a34bb1ef1ed782ac256858a4c7bd869d2f01623df213ec6ec69b

Download Submit
\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe

Filesize
520KB

MD5
0db998c13eeb1837e8cb1c243add7f19

SHA1
834c0a866fbf15c3e120a5393f5692be0c16baa0

SHA256
99f11f112e806d7006e250962eed04d192452588d521af3c93efe816d17985cc

SHA512
dea364d44fcc84eba3592077d358a6258189c7a8cab4e893ca3281ec0c8282e16e0c3bca3189f02b6592cb8d8750a66a267514542d58f927f4840a24b42532d5

Download Submit
\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe

Filesize
520KB

MD5
7f337dad47d0c2bab0843e47d9d281c9

SHA1
89af9bc5088caa2dd5f6bee59d5d1975c3d3ab82

SHA256
7f103d662077915e32f540baedf7ff7cc7e1047e2f885dd05bbdb4e90734de87

SHA512
38fa77ba46556d979ca6748a98ebcbf616795bf32f64383b9622cebb5739cf08d08c7bfa8650f9e5576eb42492b02e3f9767b6a1e20caa8086fc79ea3537f1ec

Download Submit
\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe

Filesize
520KB

MD5
a76ce2ca1f217f2c089dfa2f27a3bf03

SHA1
7c7ee4cf1147e6df9d1e1791a35ae6a4fc48a7df

SHA256
78618fb140585c0e899746c51075bf12461b800428d3f70bc61f4acfd7710a10

SHA512
b3bc1cac6d364b08b7eb91d373fae9afdedfeaea0fab6db4cc5a31ea08ffbe25c2599664b7a242d3e87e554742d72436f24af7f1becf826ff82c2cc0951c1f3f

Download Submit
memory/984-906-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/984-911-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/984-912-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/984-914-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/984-915-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/984-916-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/984-917-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/984-919-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/984-920-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/984-922-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads