blackshades | 4e683bf856d6d6a9048c0fec12e2ec3731762a3333a9ce7945d9450fd16862aa

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e683bf856d6d6a9048c0fec12e2ec3731762a3333a9ce7945d9450fd16862aa.exe
Size

520KB
MD5

5806b77724760b59e3e44c7f1d312973
SHA1

bf51062be1470c70732e2fa00919c4037cc208d2
SHA256

4e683bf856d6d6a9048c0fec12e2ec3731762a3333a9ce7945d9450fd16862aa
SHA512

93386dd2fc06c4be1c611c877821306a12727f643047bd959666631b00bfd47949d55bfad92bf7b129a446b229f838a148b597d837806e893c58dfaeb9cb9c0f
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXi:zW6ncoyqOp6IsTl/mXi

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 10 IoCs

resource	yara_rule
behavioral2/memory/468-834-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/468-835-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/468-840-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/468-841-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/468-843-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/468-844-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/468-845-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/468-847-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/468-848-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/468-849-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQUSVGKQDAPXO\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Checks computer location settings 2 TTPs 32 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	4e683bf856d6d6a9048c0fec12e2ec3731762a3333a9ce7945d9450fd16862aa.exe

Executes dropped EXE 33 IoCs

pid	Process
4956	service.exe
3920	service.exe
1564	service.exe
1580	service.exe
3972	service.exe
3528	service.exe
3684	service.exe
5116	service.exe
4648	service.exe
2372	service.exe
3448	service.exe
3256	service.exe
704	service.exe
4576	service.exe
2232	service.exe
2928	service.exe
2980	service.exe
5056	service.exe
2252	service.exe
1580	service.exe
4648	service.exe
3720	service.exe
3820	service.exe
2416	service.exe
2928	service.exe
4988	service.exe
724	service.exe
4868	service.exe
3628	service.exe
1404	service.exe
1200	service.exe
2824	service.exe
468	service.exe

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FGCACXSGNHMJURP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRTXVYJOTAGDSS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VRFRCBFXWTUHMTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCOOPKIPLAOVEQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YCNKJNBEAOUNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVAXSQXTIWEMD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GYPMHWQBRBQROXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRISLKMCHVUGP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UTHIDCEUHPJOLWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJWSBVXLPVBCIAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VWIOVVGBOXKJXEU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQUSVGKQDAPXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TTGIDBDYTHOINKV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAUYWKPUABHAE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PLLXURVRYNOBGNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIIJECJFVIPK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XJRJSOJTEUDTURA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEKRCDQVNVJUKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TTGIDBDYTHOJNKV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYWKPUBCHAE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RWHFJEMAXCUSBBV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIRNIDCSTQYL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FBPVNEEGBIVDRQC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ANJXWMWPOQCGLYK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KULGGTAJXSQBVIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWWAXSQXTIWEME\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCOPKILAOVEQVFR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYTCWYMRWCDAJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIWWKLGEHXKRBMR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSYPXLWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TXUIUFEIWXJPWXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRQSNLSODRYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CNSOCPAXDVUQREK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPAXMLMIGNIYLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\INJKVSQUPXLMFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TLKSHGHDBIDYTGO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HMJJURPTOWKLELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRGFGCAHCXSFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DBFAHTUPNQGTBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMDVNJEXNOLUGMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SFNEWOKFVOPYOPM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDSXQGQKILXAYGT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BCIAFTTHIDBEUHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMDNGFHXUUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ALQMANYVBTXSOPC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIXHPDDEYEAVQDK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PNMQDHDBRXPGFID = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCVTCVLYBGPGF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RDLDUMIDTNNXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIGJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SUGMTTEYXMVIHVC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCRVHIFOAGLB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IWXAKPWXIACQMLY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIASJGAUYKLIRDJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QXNLPKSGHYAHHQM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNDVTCWLCHQHFQO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CYXBOESOMRDQTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYNHAGNWMRJRFQG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BVAWKXIHLYCMSKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YFXIUTUQOVQGTBK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\STBOOAIRYJFAQJK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YEXHTTUPNUQFTBJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WJKGEGWKRALQBNY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLVDXNSXDECKDHW\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2824 set thread context of 468	2824	service.exe	230

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e683bf856d6d6a9048c0fec12e2ec3731762a3333a9ce7945d9450fd16862aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3948	reg.exe
4844	reg.exe
3420	reg.exe
2240	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	468	service.exe
Token: SeCreateTokenPrivilege	468	service.exe
Token: SeAssignPrimaryTokenPrivilege	468	service.exe
Token: SeLockMemoryPrivilege	468	service.exe
Token: SeIncreaseQuotaPrivilege	468	service.exe
Token: SeMachineAccountPrivilege	468	service.exe
Token: SeTcbPrivilege	468	service.exe
Token: SeSecurityPrivilege	468	service.exe
Token: SeTakeOwnershipPrivilege	468	service.exe
Token: SeLoadDriverPrivilege	468	service.exe
Token: SeSystemProfilePrivilege	468	service.exe
Token: SeSystemtimePrivilege	468	service.exe
Token: SeProfSingleProcessPrivilege	468	service.exe
Token: SeIncBasePriorityPrivilege	468	service.exe
Token: SeCreatePagefilePrivilege	468	service.exe
Token: SeCreatePermanentPrivilege	468	service.exe
Token: SeBackupPrivilege	468	service.exe
Token: SeRestorePrivilege	468	service.exe
Token: SeShutdownPrivilege	468	service.exe
Token: SeDebugPrivilege	468	service.exe
Token: SeAuditPrivilege	468	service.exe
Token: SeSystemEnvironmentPrivilege	468	service.exe
Token: SeChangeNotifyPrivilege	468	service.exe
Token: SeRemoteShutdownPrivilege	468	service.exe
Token: SeUndockPrivilege	468	service.exe
Token: SeSyncAgentPrivilege	468	service.exe
Token: SeEnableDelegationPrivilege	468	service.exe
Token: SeManageVolumePrivilege	468	service.exe
Token: SeImpersonatePrivilege	468	service.exe
Token: SeCreateGlobalPrivilege	468	service.exe
Token: 31	468	service.exe
Token: 32	468	service.exe
Token: 33	468	service.exe
Token: 34	468	service.exe
Token: 35	468	service.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
5076	4e683bf856d6d6a9048c0fec12e2ec3731762a3333a9ce7945d9450fd16862aa.exe
4956	service.exe
3920	service.exe
1564	service.exe
1580	service.exe
3972	service.exe
3528	service.exe
3684	service.exe
5116	service.exe
4648	service.exe
2372	service.exe
3448	service.exe
3256	service.exe
704	service.exe
4576	service.exe
2232	service.exe
2928	service.exe
2980	service.exe
5056	service.exe
2252	service.exe
1580	service.exe
4648	service.exe
3720	service.exe
3820	service.exe
2416	service.exe
2928	service.exe
4988	service.exe
724	service.exe
4868	service.exe
3628	service.exe
1404	service.exe
1200	service.exe
2824	service.exe
468	service.exe
468	service.exe
468	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 1012	5076	4e683bf856d6d6a9048c0fec12e2ec3731762a3333a9ce7945d9450fd16862aa.exe	86
PID 5076 wrote to memory of 1012	5076	4e683bf856d6d6a9048c0fec12e2ec3731762a3333a9ce7945d9450fd16862aa.exe	86
PID 5076 wrote to memory of 1012	5076	4e683bf856d6d6a9048c0fec12e2ec3731762a3333a9ce7945d9450fd16862aa.exe	86
PID 1012 wrote to memory of 1652	1012	cmd.exe	88
PID 1012 wrote to memory of 1652	1012	cmd.exe	88
PID 1012 wrote to memory of 1652	1012	cmd.exe	88
PID 5076 wrote to memory of 4956	5076	4e683bf856d6d6a9048c0fec12e2ec3731762a3333a9ce7945d9450fd16862aa.exe	89
PID 5076 wrote to memory of 4956	5076	4e683bf856d6d6a9048c0fec12e2ec3731762a3333a9ce7945d9450fd16862aa.exe	89
PID 5076 wrote to memory of 4956	5076	4e683bf856d6d6a9048c0fec12e2ec3731762a3333a9ce7945d9450fd16862aa.exe	89
PID 4956 wrote to memory of 4000	4956	service.exe	90
PID 4956 wrote to memory of 4000	4956	service.exe	90
PID 4956 wrote to memory of 4000	4956	service.exe	90
PID 4000 wrote to memory of 2776	4000	cmd.exe	92
PID 4000 wrote to memory of 2776	4000	cmd.exe	92
PID 4000 wrote to memory of 2776	4000	cmd.exe	92
PID 4956 wrote to memory of 3920	4956	service.exe	95
PID 4956 wrote to memory of 3920	4956	service.exe	95
PID 4956 wrote to memory of 3920	4956	service.exe	95
PID 3920 wrote to memory of 4216	3920	service.exe	98
PID 3920 wrote to memory of 4216	3920	service.exe	98
PID 3920 wrote to memory of 4216	3920	service.exe	98
PID 4216 wrote to memory of 4172	4216	cmd.exe	100
PID 4216 wrote to memory of 4172	4216	cmd.exe	100
PID 4216 wrote to memory of 4172	4216	cmd.exe	100
PID 3920 wrote to memory of 1564	3920	service.exe	101
PID 3920 wrote to memory of 1564	3920	service.exe	101
PID 3920 wrote to memory of 1564	3920	service.exe	101
PID 1564 wrote to memory of 3500	1564	service.exe	102
PID 1564 wrote to memory of 3500	1564	service.exe	102
PID 1564 wrote to memory of 3500	1564	service.exe	102
PID 3500 wrote to memory of 3820	3500	cmd.exe	104
PID 3500 wrote to memory of 3820	3500	cmd.exe	104
PID 3500 wrote to memory of 3820	3500	cmd.exe	104
PID 1564 wrote to memory of 1580	1564	service.exe	106
PID 1564 wrote to memory of 1580	1564	service.exe	106
PID 1564 wrote to memory of 1580	1564	service.exe	106
PID 1580 wrote to memory of 2844	1580	service.exe	107
PID 1580 wrote to memory of 2844	1580	service.exe	107
PID 1580 wrote to memory of 2844	1580	service.exe	107
PID 2844 wrote to memory of 1800	2844	cmd.exe	109
PID 2844 wrote to memory of 1800	2844	cmd.exe	109
PID 2844 wrote to memory of 1800	2844	cmd.exe	109
PID 1580 wrote to memory of 3972	1580	service.exe	110
PID 1580 wrote to memory of 3972	1580	service.exe	110
PID 1580 wrote to memory of 3972	1580	service.exe	110
PID 3972 wrote to memory of 1528	3972	service.exe	113
PID 3972 wrote to memory of 1528	3972	service.exe	113
PID 3972 wrote to memory of 1528	3972	service.exe	113
PID 1528 wrote to memory of 3492	1528	cmd.exe	115
PID 1528 wrote to memory of 3492	1528	cmd.exe	115
PID 1528 wrote to memory of 3492	1528	cmd.exe	115
PID 3972 wrote to memory of 3528	3972	service.exe	116
PID 3972 wrote to memory of 3528	3972	service.exe	116
PID 3972 wrote to memory of 3528	3972	service.exe	116
PID 3528 wrote to memory of 3192	3528	service.exe	117
PID 3528 wrote to memory of 3192	3528	service.exe	117
PID 3528 wrote to memory of 3192	3528	service.exe	117
PID 3192 wrote to memory of 4816	3192	cmd.exe	119
PID 3192 wrote to memory of 4816	3192	cmd.exe	119
PID 3192 wrote to memory of 4816	3192	cmd.exe	119
PID 3528 wrote to memory of 3684	3528	service.exe	120
PID 3528 wrote to memory of 3684	3528	service.exe	120
PID 3528 wrote to memory of 3684	3528	service.exe	120
PID 3684 wrote to memory of 812	3684	service.exe	121

C:\Users\Admin\AppData\Local\Temp\4e683bf856d6d6a9048c0fec12e2ec3731762a3333a9ce7945d9450fd16862aa.exe
"C:\Users\Admin\AppData\Local\Temp\4e683bf856d6d6a9048c0fec12e2ec3731762a3333a9ce7945d9450fd16862aa.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJOKWT.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BCIAFTTHIDBEUHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1652
- C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe
  "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSQUPX.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTGIDBDYTHOINKV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2776
- - C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe
    "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempACQYL.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4216
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TXUIUFEIWXJPWXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4172
  - - C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe
      "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKYGOF.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3500
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWHFJEMAXCUSBBV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:3820
    - - C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIPPYA.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ALQMANYVBTXSOPC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIXHPDDEYEAVQDK\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:1800
      - C:\Users\Admin\AppData\Local\Temp\PIXHPDDEYEAVQDK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PIXHPDDEYEAVQDK\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMJJURPTOWKLELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVKXIG.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAHTUPNQGTBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAJXFT.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PNMQDHDBRXPGFID" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLCGUM.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FBPVNEEGBIVDRQC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYK\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYK\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYYNW.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VRFRCBFXWTUHMTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVEQ\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVEQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVEQ\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDBFXW.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MCOPKILAOVEQVFR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempULAJV.bat" "
        13⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QXNLPKSGHYAHHQM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHUCQ.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNKJNBEAOUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKLUQD.bat" "
        15⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOESOMRDQTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRRCVV.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNSOCPAXDVUQREK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempACESA.bat" "
        17⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVAWKXIHLYCMSKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSSHQ.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLLXURVRYNOBGNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTWYJK.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "STBOOAIRYJFAQJK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMSXIG.bat" "
        20⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XJRJSOJTEUDTURA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVBTXS.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WJKGEGWKRALQBNY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKDHW\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKDHW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKDHW\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPUGDH.bat" "
        22⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYPMHWQBRBQROXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTFMRC.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDUMIDTNNXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYYSLR.bat" "
        24⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUGMTTEYXMVIHVC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVXCSL.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KULGGTAJXSQBVIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVQQFO.bat" "
        26⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INJKVSQUPXLMFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFAVOU.bat" "
        27⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IWXAKPWXIACQMLY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIASJGAUYKLIRDJ\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\AIASJGAUYKLIRDJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIASJGAUYKLIRDJ\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSQUPX.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTGIDBDYTHOJNKV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHNSE.bat" "
        29⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SFNEWOKFVOPYOPM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDSXQGQKILXAYGT\service.exe" /f
        30⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\HDSXQGQKILXAYGT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDSXQGQKILXAYGT\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRVQYM.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UTHIDCEUHPJOLWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBNWBU.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIWWKLGEHXKRBMR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTOWKL.bat" "
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGCACXSGNHMJURP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSS\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSS\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNTFBL.bat" "
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VWIOVVGBOXKJXEU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        36⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe:*:Enabled:Windows Messanger" /f
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe:*:Enabled:Windows Messanger" /f
        36⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        35⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        36⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        36⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempACESA.txt

Filesize
163B

MD5
8cc8a8f9aa167a79e215e0a124948c64

SHA1
027d17f560afc112990c81a11657d96b50be82f1

SHA256
f33342db98fa395a72967b9dd83c914e30e246619c21fbf9faa50afcc42afdd0

SHA512
7f6a329d216714010e0ebd44891d9acd64bd4fab06afe441aa98e8b5695f73170e750efa291406df48100a6429379e5f8d63b96fd69fb710e3007f6901fb7d8e

Download Submit
C:\Users\Admin\AppData\Local\TempACQYL.txt

Filesize
163B

MD5
bb2cd2e9164167a78bf1f65fcd8a8d26

SHA1
389282f0c53768d552e74d996e732141286f0f50

SHA256
411150876db9d19119eef0574f41aff8d2e5cdd5bdd5b4bf9532c511b066d6e0

SHA512
9f9008a4141c78767223cd561eddea8dcce26d8f67f189c49a04ec816c0e38240bb5ca3c5f2275b2eed0b17f71426f2b585646653bde4192a8653fef76d55318

Download Submit
C:\Users\Admin\AppData\Local\TempAHUCQ.txt

Filesize
163B

MD5
4b0d872f3f416957a182ff7e52c309eb

SHA1
0f1b526a0543465b9e3dbeda4d433788776401c9

SHA256
6432bfed5b2ad0c9a8af3893a8ba1adc4366ebfb2bc5c0d373404ddac44baa88

SHA512
4655e8922a7735416c318b9fcbc22580b512c35518ca7ccc8085fba08adb232deb54b6266167f54a7911ae83310c9dc563da8189d836a2ee6d393e074749beb2

Download Submit
C:\Users\Admin\AppData\Local\TempAJXFT.txt

Filesize
163B

MD5
120537d96045d46e2ec2a722f68af997

SHA1
e14c077f5d18ac1ceb39cc6fbea443d10549f1f1

SHA256
707a34b25667e08a7141de1eab266006d310482c59b7ea0b42c472e3beaa18cc

SHA512
2805bb82415c3feb1b5bea94c96e6128cec78f96999ba18a7ac9ab109347df0fbf87aeb89b523e3d10362ad4a111967430d920dbfc5acea73d4ce60773e8c4a3

Download Submit
C:\Users\Admin\AppData\Local\TempBNWBU.txt

Filesize
163B

MD5
05e52611a5e61eb18f9ee36ccda1445e

SHA1
98e3cd096fb9339a3aafffe3aea04df674e60dc6

SHA256
20ad6c8bcc8b8c90936ab733e3faf2e4948dc1b92c7a15c16de292b62c1a6360

SHA512
0ab590a73bf7fa92422c636043c15b793fb059cfa74bcaac43465f4fd66bb6b98f684c25d5d283d0d7be52ec14ea705e8bbb95b33c3998d038590c8a7db575bb

Download Submit
C:\Users\Admin\AppData\Local\TempDBFXW.txt

Filesize
163B

MD5
1bcaaf26dd832b95f12c83c56cc1bf93

SHA1
e00cac28cb646e7411990dd101349be14ace3ae6

SHA256
e8c086d6f85cf7868b560bc31715b7098ab1eca10e9a7947a106c31b7f4a42a2

SHA512
78adb32e476c262a68e0dcd452dc7b080d9c7650b221659140fc0c12868b823da5be528995dc6209b13b7b1fa3b6832956892758c3edca42c6723e0531d4a3bd

Download Submit
C:\Users\Admin\AppData\Local\TempFAVOU.txt

Filesize
163B

MD5
b36e50d9efdbf2d2ef4b19bea9e5851b

SHA1
87412f700a3a1800ee2f9cf046cd5d1838480b3a

SHA256
5df91d75fc76b19c07359b4df388a439aa96f2e032f67c858a4f32cf64893956

SHA512
dbe343580df7f8512f95b2f41926abacaaa8d79d59b6d550714b4e18ec0360e8b339f25276a36bb8c1432c15557e9493cbc1eb578f28c346476e661cd4474b42

Download Submit
C:\Users\Admin\AppData\Local\TempFYYNW.txt

Filesize
163B

MD5
2946e7a424211ef1eba1bba167ab49c7

SHA1
231f6c074564ed32c9697ee23a1256fcfe4692af

SHA256
9bce65c4d5e07a7e262e58a5dd3210170ca111257bde644ac4ec4c7530bcf382

SHA512
15a2408262dfcc3c5014c76b25dfc244d8aed4214a4e7181e59372b1e6bccf3b1501ba608bb5726fe531b3fd5f951312d431c0ba9dcaa4a2ee038a471d7cfff4

Download Submit
C:\Users\Admin\AppData\Local\TempIPPYA.txt

Filesize
163B

MD5
fcc73c94ec48c03574610298933d3740

SHA1
b12d786ba8b0e3294999e1f65090d7167096ed60

SHA256
e6366df01a32370938e11868e09ac4b1f03309504dee6d5156f0d5f6c9cd5c97

SHA512
467fb683400e02c1c763634cb0127b4a315f37edd54460d5b07a46ad6d4ac550b23c546fffe178c58e946ab3df504a37dffeb9c0672255c6057db1341347d848

Download Submit
C:\Users\Admin\AppData\Local\TempJOKWT.txt

Filesize
163B

MD5
d3dec3d755a4f46cb1481bf3a29bae49

SHA1
b4039e8293da99685fbebc6a31c06e0f1374ffa6

SHA256
da09f98041cd78608d907ef06fc0ef0ee15fa1dba9bb7375792c8262873cd8e0

SHA512
389a8218fd757c9aa272faad2fc071d20487338a70650b86cea469db50aa5d21839624bb8a53c1c4cf765cbd8a68504e53c19979870a1e8f8098d52933a3831c

Download Submit
C:\Users\Admin\AppData\Local\TempKLUQD.txt

Filesize
163B

MD5
6a401fac14448a283b090176a53a6b0a

SHA1
d154a2cb98ece0bbe8a6f2d73a905132a15235a3

SHA256
25b5dfefe526d611b4e691a065a0a720f6ff92ec69dfb886fa4120c3d224818f

SHA512
4c2308e6af81edcce42193761419bf3017336aa6858191b30bc2342128273deb45486b44874813e5182715b6b7e472874db8a4d3a9343ea3dce1c94c98434887

Download Submit
C:\Users\Admin\AppData\Local\TempKYGOF.txt

Filesize
163B

MD5
e639a21732428a6804f84269cff210cd

SHA1
029a2178793c32275f5ff798a606aa958b6396be

SHA256
a33e500abb1f551387331580df3838caaca99741115a5710465a72313477ee81

SHA512
43e6c1d60fe8a0645cb25ef78d6d57f94e536c5e9e0cca277ece4b6d98f4cfaf2ca5f7eec5f2ba5bfd5a7043eed64bb27d9659c51df828a4abe89be5ff01215f

Download Submit
C:\Users\Admin\AppData\Local\TempLCGUM.txt

Filesize
163B

MD5
0e306d3b57f0e1c6b43c30d442557cf8

SHA1
d5569fefca0a2710dfdb5b4700cdcaa3eccdcc51

SHA256
d0c1d0e278a327aca051029c103e3f54be14e5c6efb74c61f7bac10013a24571

SHA512
9ca37c880e79f198b87590d58eaf6a6e72e09a1cf490c1a7c0ac411000a87772d573763dd3e79baec09ea824c738c782ed851afb6ccd38bff0ab003022921609

Download Submit
C:\Users\Admin\AppData\Local\TempMSXIG.txt

Filesize
163B

MD5
1b32b90efa0c79c65084e7a3bea70aeb

SHA1
26001667adb267a5ad3458be0dc289765c7955ae

SHA256
6b37b6d562f28b31f55e7307437c12c96c663f90d9750f448f4206e8d197b452

SHA512
da2695da58df57352276b25ac7e43947c3e1c3dc5e2d2a469bd2a0466b4594fee64f18ca1bce4bcaeec448ad512583788e19a77ee29d31182913ecef8185e443

Download Submit
C:\Users\Admin\AppData\Local\TempNTFBL.txt

Filesize
163B

MD5
97173a0b8ab51cae61095aefce232462

SHA1
68df1f5388e5e68fe20a1d00921a8fcb726e633c

SHA256
17171c8e77bf2984b5de46154a08f6ffbe80c313780b62f586719029c12b87fa

SHA512
a58bcc26d8897867a808242ba382ecbc46d72e216dae42a8502b2b4eeed07b0e45b00143ba37014a166a2dd4774367ff3ba33b04769f42944355f371e0b5a7dd

Download Submit
C:\Users\Admin\AppData\Local\TempPUGDH.txt

Filesize
163B

MD5
5d53cd6c09bf8a8e152d1b1ad6d03f6f

SHA1
4bd77dfdc5382f94973de8eace416dcedb724811

SHA256
6fe4591deb236f82206a5b6fb394c14c844949c58f46e5822517258504df6124

SHA512
7b1ab927d6c778d0af46bf8c9e1781a5ae741052316740e19cd38cceac7bd26e6fd931d7095a906d30e73bd8a679702b4126a4d1591ee1d0f049695a6390b235

Download Submit
C:\Users\Admin\AppData\Local\TempRRCVV.txt

Filesize
163B

MD5
6fd117f208423d249769655802c3be2a

SHA1
3ee3d49980f8c042989a99b98355f141a34f194a

SHA256
1c2ba2205211bd08851020aa7e4e858f766c23cd1f7a9edfc88aac533f454f7b

SHA512
9e2eddfb57523bd138b73dd4f3a59912f0727be0e5fb6141f7532c94478083aba7f102e5d4afbc6a098b7c6bf6ff1006a4d69a875287c985cae87c54e5b4235c

Download Submit
C:\Users\Admin\AppData\Local\TempRVQYM.txt

Filesize
163B

MD5
cca137880022155eb1ae5e4a1e8cc46b

SHA1
98f7b54551aa6ca13ef94d577f16da0f99338dcd

SHA256
087a31df68cc4b18712e544cb459f4721173264bc87dda724de0e0a161efcb27

SHA512
3f59023dc0fcf4cded16814e91ae74308394a334ea5704a04e088381ba9735e6d1976796554124a6d8dfc5fd1c9d3cf235251cd0ecceecd3a2d76c7e4185d226

Download Submit
C:\Users\Admin\AppData\Local\TempSQUPX.txt

Filesize
163B

MD5
9efcd272a5994f0c97d42ec0d6a937d4

SHA1
cfc222d531456045ed248ee8185ec87db535e091

SHA256
bd9b9ed37bd5e27d12081d3903fbbbd63f56939218c31f07d3e2f32dbd471761

SHA512
492450c1e5739060ce0ae5f3f9586a018ddec5de69d8e21b53f7613ea4e85c8a68167e84712ec67c64bd6a1cd2f92b13ee7ce88e9d4e003df452548ab44d665f

Download Submit
C:\Users\Admin\AppData\Local\TempSQUPX.txt

Filesize
163B

MD5
3ca936f620d7a3e347d15bb84ebe81a0

SHA1
fdac6a1fff3fd9dbc4c61cac11923f21409aea08

SHA256
134e2f8a9baf45c6b4a5fccb35e4605a4f5cbc0260388879f9e73eed7a52f790

SHA512
0367c912421c1a29808e928212347eabb13dc6c7a045fedcb1469b361520f10ce4a51f3c42297ed5416235fe908759bc435be20ba5537f0e3079682f6c02b76b

Download Submit
C:\Users\Admin\AppData\Local\TempTFMRC.txt

Filesize
163B

MD5
7b2dc6e81e9d4ee1b397576c8a5bab09

SHA1
0e7cb6bd412211c39ecddf631e4d97b4bef4aee9

SHA256
75e8fdab0df29fb80679cdd3506e947933b3e088d89ccaebedf169d64e693c50

SHA512
4d0bb20f49e0728301715d6d8d79669b57ec51becac3716326f2fd4d664c74287a93daefca78db1c1edd1ecb9090058d0d2f363f5e11b66e023c0b9983544018

Download Submit
C:\Users\Admin\AppData\Local\TempTOWKL.txt

Filesize
163B

MD5
5ddcc891ceb673c501afe16509f2eb6e

SHA1
4eac37dd45d3f74b5e8e2d3398193f3cfa903bac

SHA256
87b70caa89a3eab3075876bf4955c45cebc0e7e9e1aeff74379e72646a801068

SHA512
0109ac52951cd00684820d2f8c2781ec4febe9c767f092ed1d09dbdb266c45d0f963c2b326782bd6707b974251e549b3a314e1aa0a06ffb37de33ca26886b729

Download Submit
C:\Users\Admin\AppData\Local\TempTWYJK.txt

Filesize
163B

MD5
6c32c92713c981332feba87de2ed7d7c

SHA1
db7de2f1794415ea6b38b18f3adfae72559f5578

SHA256
a089ae2540e2c18738c742a32b406665e5cd172743dbca13074ea7ca62e87154

SHA512
811a9b197fa5eb94a384c204ef5d2836541e718add0ef6baa5e9c904a7d3214f2308666e41ceb4395a417ac47a4c1f1cd307f88e5b65865c83c6c34d2b25a340

Download Submit
C:\Users\Admin\AppData\Local\TempULAJV.txt

Filesize
163B

MD5
27b620eda99f506347ed781ad78eee9e

SHA1
0ff0f2449c62df96faa80a40f07ba78d33007719

SHA256
4e000f66953940a54114ce5f53e243e05a559cc43d1e83aae1f5543d8fea4b83

SHA512
a9d412a8bf5c8777d7da4f8974d00bf13c33e690c7a6cedd7fc8c39c88a02c3213c1ed0eabba8f4004f9221d9d83ea9f4b914d638b774762663df07c9c4c8c1f

Download Submit
C:\Users\Admin\AppData\Local\TempUQYPE.txt

Filesize
163B

MD5
ba65ad51a6ea0d752a264e010d91bb07

SHA1
cc0125350670bbe8a445cc9619e733aab97f0ca9

SHA256
b98c4714bbef3d1764e48098bb3063bb4d3724831fef2571451bce68bf40c169

SHA512
935618892f9f6d1696b43493ce5005266f8f11c931e2305c01957e1f22c91b6508996d82fa24f1d27ef702bebf6138359b879aac81dfeb34335d2c19deedcc2b

Download Submit
C:\Users\Admin\AppData\Local\TempVBTXS.txt

Filesize
163B

MD5
d60e814d6fe7e9ab7d77a6faedd1edfb

SHA1
631e16e188395e018e7c5c59ee7c98ab0d79d2eb

SHA256
d05e1c31db971c55a0ca594b95bdbd1dede720ea3427ba148b843495a486be24

SHA512
d3a0df75a67f76a5578541d750e44e44def4d6952100e93fe75de1b1e545e5d44472ddf0566c817318e41ced5a6392b3cd21b4621ced16ce6188ac27b1c1890a

Download Submit
C:\Users\Admin\AppData\Local\TempVHNSE.txt

Filesize
163B

MD5
789073442be1682fbd77c0866e60b364

SHA1
619eba7d16cbe72bb665f7d9d266d752cafcf2ec

SHA256
6125741402eabd47876e7fc33cafdd5fdbabb26ef1819b82984616f3c72f1686

SHA512
b45d7e2b7ed261085ec98bac2fa9ee8e4894758f5b07be6e465ad24ea029480170007080595c0c62030bc92ac18bfda28caf5bf96d84b1fbb8d754dadd856760

Download Submit
C:\Users\Admin\AppData\Local\TempVKXIG.txt

Filesize
163B

MD5
65d080236c699b0a969c3722cd7dc993

SHA1
26ddea76d7bdbdd656b25e2b48e99f72578a3d42

SHA256
529220af02bcef192f2da431378863b886cbe0f91e4e96421615e265882a524f

SHA512
72b3378b8515b16569605a82e31532435b51e4777fee61693d1a288caa19543743a12a7a6fac7ba66a28f9684ff2bb3f7725d31bb5f7c34a857a40b1e111b9f3

Download Submit
C:\Users\Admin\AppData\Local\TempVQQFO.txt

Filesize
163B

MD5
3cc8db8f1b9a8047561ef21292228b07

SHA1
aaa2f3b7f1acd31b1fb2434bb05321d79779e801

SHA256
7c75ecbff079359cd1f5c877aaf75fc2f175a04611db6fb23b3152fbe02ef5b1

SHA512
10aea21dfd242036065f7df402b437a7bd6680172759d5a379d742fdeb5212d08ffdd59dad6193ba3effde8748ee34432564e82ce6f44d10958b3e777a177114

Download Submit
C:\Users\Admin\AppData\Local\TempVXCSL.txt

Filesize
163B

MD5
c435b8014f2d2d7f556f48bae57592e6

SHA1
3e3afc03a3b0e06fcc11db28c54cbd2ba2749e6c

SHA256
6d51b3adb23a675fc7ffbd29852de1d43ae950db2bed101ddac34f7c1a58ae17

SHA512
f4c4d2f193410883433f9372ea80b688ef2adcf21ea770e9d54410808960ac5acf86ffbf01fda492b4932e4a341b54832b9f17d367a2ce3284b01b63b4c7c302

Download Submit
C:\Users\Admin\AppData\Local\TempWSSHQ.txt

Filesize
163B

MD5
7ab3dbdaf27ff3f98c43ef9068406a6e

SHA1
f4e155188ff8fd2db7e4a89615eda030be47a33b

SHA256
bf02a2f2439c424d60dc4d5ff9b22410bfdcb2a08bd00908b37cf89c24135558

SHA512
6119b763cbf7511a971c20665ee0067f8660184b3544d42be5a714242feaf38079a996520af216263fe6e3d73fa419ac7f271fa2de6934f89c9eb65a01847378

Download Submit
C:\Users\Admin\AppData\Local\TempYYSLR.txt

Filesize
163B

MD5
47a73167efadba131f6090564a12a4c6

SHA1
d271a153cee969053311600715ddf1e107cec467

SHA256
3a4bf3585106abf425cda59d39096f5a39a559a25749408e7decf90a26946197

SHA512
15c5d26cd27583974241aad468825b0a681abdd090a730843a99a02971ddad10d62c19ca21d25401d05807bde75dfa2a68880cb8db06443ab4d41e7fb6d65c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYK\service.exe

Filesize
520KB

MD5
dd0cb278bba6f2c0f5c62cea3295827b

SHA1
ae0b9fcbf1eb999e8d3048038c4ae9730f0d8b1f

SHA256
12da2da7d314d8384927bb3ef38c7b75266132793cc22d5a7cec47db2cc34de9

SHA512
9396de72d5842f0fa5df8f6de07f119f8f1ab09f53a4a0309f0b5976c0106984f9b12fb5945120f162fc0524d4b6af500f8900502de6aed3bf8f858f5a5a8b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe

Filesize
520KB

MD5
ad86560ce6ed5b812799cc1c8d677188

SHA1
8656409319271e5f690f2f4366070b61554ea5b1

SHA256
0bace9a0919706144ed83c1f270318d13006913071b3496428147e094c25ff56

SHA512
c07dacadcb7e93ed7efc9b40e26a9dc05887bc106514a4e230b4c07c3e0de79e650127e82acaf54c7565cdd8d31694a4a26ac71243f0c0c04b4b71d8b26cedf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKDHW\service.exe

Filesize
520KB

MD5
4cdcde94240b3cb2e063db3a9d594958

SHA1
5be5579969da703f9b2b777fcae6af6f11169c09

SHA256
3408e297506103f331a8bcfb94b61e208a5ed8a51a897e3d04a0a2b9d4faecbe

SHA512
4e242446ff1e7fe117a90381824df389c4207e38c3bdc9e50507c03e922bd14851a8df3cb51511138f46f0bb640c1c582e03e39fe3c33709f57c85d104873ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe

Filesize
520KB

MD5
aeb3cdedd8880b6322d1ddc07a56ceac

SHA1
5c8abf2c8694817eeda46948507bc4ab8729b771

SHA256
007a95490d7df6e4b14274f24caf88b9446d4f82da87a9c73786a1515f85484f

SHA512
9b5724c02a9ac1d0a6e0ccc55f035673e4aa1b3d5bc117cb8cb1a745efe0c2487630a9dc77b8ab9e09a5fa4750e1465495ca078b825ea655e63830c3ae6f4bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.txt

Filesize
520KB

MD5
75df03f81903db2b2408d5321cc62a58

SHA1
75402c6ef09efcbb5e2d3f2cc4a84621bbce2419

SHA256
171e943a27a8b5072919be08a58e605dc93df5c2ce537252c6ec07d30a027d15

SHA512
7d22ed480a1284d7b891da5ec3005327d5371e3ebabf07992cfc284377c6cd84604f5a4a81b1e5214ff068b60645eefb6bd23fe5939c9b15abdc7ae1b37046ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe

Filesize
520KB

MD5
b6f76131c076358c14257a265ad942d6

SHA1
aed3756c50a7432b707b70e2b996bb9af9c927fb

SHA256
647e7ff4388ab1a1a2c539a7880f6d4764076b792d5cb4027c37ec87d4014cca

SHA512
65ea25f13f6b1acfb086b453e3e6d1b664da7b5b9e63144cd773d2f9dbefb5d70e099f8d854ff43cebe079c7932fed808eafb7eed1d19abdc433792bf8041313

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe

Filesize
520KB

MD5
4e03ac5a805974c9986420fb72caec9c

SHA1
7a632594bf0df35b511c0aee84352d14ca76825b

SHA256
7b8552bf884b3d9501890b1fa4cd2b03a2bc043872252e780032e08c830be1a5

SHA512
a4d3572291b22232b308f4afcd1cbc0e5400869ff57f2b26adc2067b697c48f9f83826ea0d22914bdb39232cad45d6e215df4b25fffd84c5573a42774fa0280b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe

Filesize
520KB

MD5
cad0d751f1e546844fe7bbc2a56c9374

SHA1
8d9a3481395169706ac38f61e832989c42dbadc1

SHA256
e3ae1accff91c1b20a09d034dce8e0dea8136d8bd7b969155a5388582b58c56e

SHA512
c416eeb0ec3a1f215bde00cfa6c7493748ab4befc917f81bbcb53956599d8f84f8d43b44d93835cb888e65eeadde17c4dfa4071c84b6a353a977b6780d5509e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe

Filesize
520KB

MD5
7779c5c0c98d3abb890bf4bbbdf541a7

SHA1
5252a23490c16ede8603d8d61577b769bef9a147

SHA256
539919d12d7286f5ac91f7b83283b2988685d1f937a66b96f3db80eec7d748c3

SHA512
33b5303f4871c50bd24ad12534ca8571cf9efe507f9609a796e85b6a610c53925074325de75011631a4f6cdad7c70cd3316803121f7a61f7711c4b31f9735360

Download Submit
C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe

Filesize
520KB

MD5
c5439980609e32e0713936c656b4dbac

SHA1
879a13251659895c78a10bf1f5a8719e2a70c56f

SHA256
23eaf6322b0322491b7e838906479ad7d1e62b27c807dfdde750f377f4f988b8

SHA512
fd2d955ec22f16058db75493355d9b2028b44265b544f31dd6c1dc4f1cdda2af64ddd3c436be7f404d93b80d07f736e77f478f71cb67e6bf66d1971a69e40b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe

Filesize
520KB

MD5
4c8640642728d76251b432d2d8ab9c8f

SHA1
73c46e73fe685a853787749ef56b029a5c53d386

SHA256
6fb5d6106f4a535e8bcd7fa4cfa7b99c2770117932dd1a7358a75ac919f0456c

SHA512
3482109ffd68fb6e9d47c670790d7e33cfda15a7525829bf5fd92bcbcca4718071474666b8bb453a4cd497cdaef03a064e84b3b3bfae50ebb0ed21b45f022966

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIXHPDDEYEAVQDK\service.exe

Filesize
520KB

MD5
601af0ccb31f139fa6673fe2456daa41

SHA1
4326e0f2e8a1828a6aa62d6b596ca57b7c34fee0

SHA256
29cfb56b0bd497cacb9ce7604438405fba492dbbd9199240b5e6661b0397f2be

SHA512
511b92601686de3db14adaa7948a31a8db2b3e31fec13a4a9fed01d5bf9ce174e87bfc11ea9ccc36b78c0530736c29951eae7c71f0e81e32fe963b953b4a7216

Download Submit
C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe

Filesize
520KB

MD5
27ddf81b8b9ff1bd7044dcd9d83caddd

SHA1
55ef8b5edf72bb3672af032c7db0a67309b00f6b

SHA256
5961a1152649762614e710ceb10d642642779a342bb36e781cdbc49385d96a58

SHA512
f92ceace4b5db738c4aaa2b3568cdaf4487b3f9ca8fd9dc6b73a13575e797a16802a93396077f7586d78af628b0f349e35955c92492a683cfae2db3b364d38d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe

Filesize
520KB

MD5
bfa9a60fe39b9bfaa16c941f9cb05968

SHA1
feee80a8637f8fa9145a0793119f67759b9abe21

SHA256
41a817258989de8def0b358c6a118caf907aabf0a30f5252a779639e91d0a0c1

SHA512
ec6cba25e09d044edd0c20eb554a2f925592d182d7fe4ebb9d19513849687a7dd86480dca9acf0e0ec365c3b15cae82657f977091e2562a73d5b65a62558c014

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVEQ\service.exe

Filesize
520KB

MD5
dca9fcee64be3738ccd8667e47fc7a0e

SHA1
b8e417f1c3eedc1f37f6362f66a9b45d488910cb

SHA256
585abbbaab520c93a25e0ecf887fbdddd93c72ea70de1429f798a76f59772742

SHA512
a67cac71c62a8e0009bfd275da9e7b2fa91b86c430da7cc73905e8ac1bcdb5bb03f755608a548864f107baf817fee8b1c56206f8a78d1d4e97c9b51e154795bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe

Filesize
520KB

MD5
1ce6186d84bc19f8b0fbdab60f38deb1

SHA1
8ce2d4053b6ed33612527379e107b1f8c94de08d

SHA256
d85a8ed1983b029109a071679cdd927aee69e50921b86a94b2873c7f4a4d2d7d

SHA512
0327bdcdfab5410a4c9042b454fc6758b733cfd38fc22d60565fa8ce623e3f961673865eb6f9b8b75a2d15f56a71498d081f00e0fdbb29ebb187fb61c0077f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe

Filesize
520KB

MD5
04b3da35367a88d5184ffd399c314a31

SHA1
c6af972d0c06522f41d49eb0b0256c3c754958da

SHA256
43fb8dfd48016bf1982fee1a70555adaaf8fdfd5da1ef252502c25ea9dfc2634

SHA512
d9b9bc94eb19574c6a1b05ea49ed896ba5c57cd1bae9c44248e4b560b50a6592b5d7c88c3f0cf89a011243e2a7f6ec39171adef59dbd8dbf6b7b4f02c0a4946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe

Filesize
520KB

MD5
4d1a70460ee533613914dfd8dc76e372

SHA1
042c975ca7381fa1569bc97c0645772c80c41b06

SHA256
3a889e81c13461b21f55d3f4cbc5b5fb6afcb45fd2a8c9acf829746325e75228

SHA512
3fd04aa140ce921c6a41795eb56a19dfdb07cb51487f911781f1514bac5b7f17929e294a71e001f34be3115a482086a162112f9672e8d308972a8cc8fee9e316

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe

Filesize
520KB

MD5
ca3658a14f644204007c9171a5298ca2

SHA1
e63bfbd8457240b6eecc65bae2a2497d9eff92ce

SHA256
6b08d918c0c830bb7b171cef9790be7c73db30cea28c5b9a2b2bd027d96972ba

SHA512
60d8e68c15d23f1f2575328d8bddfae5092d6560a24a88bb6ed9e54579bdb4ae010bb6b406c556a9846dc449031f8d39dc56e61b03284b6bb1ba96c27e8c2b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe

Filesize
520KB

MD5
b3e723b2bbadfacd3548de630e6d77e6

SHA1
741b838cf4f806ecb067ce48890f67c93985626a

SHA256
0f49b528953f03a5b746afe5e16f6eb0bc186186c871fc2f2a4b526f45e2c42e

SHA512
b24e66cfa22043e8984639cb04b6d2cc6beb526cd5650e98a7bf9c92d81431707324cab5e9edfce47516e175a56cf1f9332441c436d7ad86af1b0cb4220a6bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe

Filesize
520KB

MD5
75a3ec0cc5814ac30323d46df61759e4

SHA1
590dbcb0e7886068161cf6c789839f19cf4c9229

SHA256
6092aee0ba8a54fa8d5277e8836500b48f1ace867ac36317147d1e3a0652027a

SHA512
10b7b7282c723622da160eb92fce1852944f71607999dbf39a90093c4b574eaa5c060965d711654fded4b6da2cfbae01b1561ebcd06e9f0d8fe2173454ad88ee

Download Submit
memory/468-834-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/468-835-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/468-840-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/468-841-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/468-843-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/468-844-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/468-845-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/468-847-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/468-848-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/468-849-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads