blackshades | 6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233

Analysis

max time kernel
147s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/03/2025, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe
Size

520KB
MD5

47f9bf098bb140399c8a3c56a698f762
SHA1

56235e0c3485a9f512cc060aaf1292ab917cd89c
SHA256

6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233
SHA512

cd0daa0f327a5f17da7f3c948341b5345d81ff9256db64ecfb770f443ca37478eed21e8745b98b39b3cf50959d30e877903b74855e93e00233a12f186a09056b
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXy:zW6ncoyqOp6IsTl/mXy

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 9 IoCs

resource	yara_rule
behavioral1/memory/2900-1004-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2900-1009-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2900-1010-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2900-1012-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2900-1013-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2900-1014-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2900-1016-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2900-1017-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2900-1018-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASLQXJJDXBEUQR\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Executes dropped EXE 40 IoCs

pid	Process
2384	service.exe
2624	service.exe
2616	service.exe
1800	service.exe
796	service.exe
2744	service.exe
1392	service.exe
2436	service.exe
1588	service.exe
2084	service.exe
2668	service.exe
2488	service.exe
280	service.exe
264	service.exe
2940	service.exe
2816	service.exe
1540	service.exe
1688	service.exe
2840	service.exe
2684	service.exe
2524	service.exe
1304	service.exe
308	service.exe
1252	service.exe
2984	service.exe
1700	service.exe
2816	service.exe
3064	service.exe
2180	service.exe
1052	service.exe
2760	service.exe
2552	service.exe
2240	service.exe
776	service.exe
1636	service.exe
2992	service.exe
1928	service.exe
1692	service.exe
1960	service.exe
2900	service.exe

Loads dropped DLL 64 IoCs

pid	Process
2912	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe
2912	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe
2384	service.exe
2384	service.exe
2624	service.exe
2624	service.exe
2616	service.exe
2616	service.exe
1800	service.exe
1800	service.exe
796	service.exe
796	service.exe
2744	service.exe
2744	service.exe
1392	service.exe
1392	service.exe
2436	service.exe
2436	service.exe
1588	service.exe
1588	service.exe
2084	service.exe
2084	service.exe
2668	service.exe
2668	service.exe
2488	service.exe
2488	service.exe
280	service.exe
280	service.exe
264	service.exe
264	service.exe
2940	service.exe
2940	service.exe
2816	service.exe
2816	service.exe
1540	service.exe
1540	service.exe
1688	service.exe
1688	service.exe
2840	service.exe
2840	service.exe
2684	service.exe
2684	service.exe
2524	service.exe
2524	service.exe
1304	service.exe
1304	service.exe
308	service.exe
308	service.exe
1252	service.exe
1252	service.exe
2984	service.exe
2984	service.exe
1700	service.exe
1700	service.exe
2816	service.exe
2816	service.exe
3064	service.exe
3064	service.exe
2180	service.exe
2180	service.exe
1052	service.exe
1052	service.exe
2760	service.exe
2760	service.exe

Adds Run key to start application 2 TTPs 39 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ARJFAQKLUXYKLIR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBQUGHEMFKYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIIKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDJARIHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\THSIEDQGUQOTFSU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKKLGELHXKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\QEQBAYEWVSTFLST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOKNUDPT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\KXGHSYPNRMUIJCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPDDEEAVQDLF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\JWDNWUEBLFGWPST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPIOVGHAUBRNYOK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\OLLXTRVQYNOAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIHJECJFUIPK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\JIVCLVTDYKDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHMTFFTYAQYMXN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\EPNLQDHDARXPFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KMYYCUSBVLYBGPG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\LIIUQOSNVKLDKKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEGBGCWRFMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\LYHITQOSNVJKDKK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RJIQEEFAFBWRELG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLDVMJDTNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJWWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\OACEQRMKNDQXHSX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJASKGBUYKLIRDJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\JXGGRYOMQLTHJBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIXHPDCEYEUPDKE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WTSWJNJHXVMMOJC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICBIRHMEVMALB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\CAEHSTPNPFSAJAU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWMNLTFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\IRNIYSDTCSTQYLR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTKUNLOEJXWIQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPCYKEJYXGRY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESNQUSVGLQDAPXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLGPYWHDOHIYRUW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASLQXJJDXBEUQR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPBKBTKHCRLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWOUMDNGFHXUUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\OQLJMBPWFRVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIETXJKHPBINAD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\QNBNYVBTXSOQCIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICBIRHNEVMALB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\VVIKFDGVJQLPAMY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXNRWDEBJCH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SFHCACXSGNHMJUR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRTXVYJOTAAGDS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\KVSQUPXLMFMMVQQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEJBSJIS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\LMJRDKPACFQSNLO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FAWPUNDNHFIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYQMHXQBRBQROXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTSISMKMCHVUHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYXBPFSOMRDRTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYOHAGNWMSJRGQG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\RVSGSDCGYXUVHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPOQLJQMBPWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\AONHQXIEPIJSWXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMRYKAKEYCFVRS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWKLHFHXKSBMRCO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMVEAYOTYEFCLDI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\PNRFIECTYRHHJEA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LOEWUDXMCIAQIGR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WAXLXJHLCNSLBBD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUUVQOVRGUCKC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFNEWOKFVOAPYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDSXQGQKILXAYGT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MQNBNVBTXSPQCIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELHWKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLDUMIDTMNXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOEPIGJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\QVSGSDCGYXTUHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TATDPOPLJQLBOWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\XVTXLBPKIXNANPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUKECJSIOGWOCMD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWIGKFNBYCVTCCV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JBRAISOJEDSTRAL\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2672	reg.exe
2180	reg.exe
2840	reg.exe
2732	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2900	service.exe
Token: SeCreateTokenPrivilege	2900	service.exe
Token: SeAssignPrimaryTokenPrivilege	2900	service.exe
Token: SeLockMemoryPrivilege	2900	service.exe
Token: SeIncreaseQuotaPrivilege	2900	service.exe
Token: SeMachineAccountPrivilege	2900	service.exe
Token: SeTcbPrivilege	2900	service.exe
Token: SeSecurityPrivilege	2900	service.exe
Token: SeTakeOwnershipPrivilege	2900	service.exe
Token: SeLoadDriverPrivilege	2900	service.exe
Token: SeSystemProfilePrivilege	2900	service.exe
Token: SeSystemtimePrivilege	2900	service.exe
Token: SeProfSingleProcessPrivilege	2900	service.exe
Token: SeIncBasePriorityPrivilege	2900	service.exe
Token: SeCreatePagefilePrivilege	2900	service.exe
Token: SeCreatePermanentPrivilege	2900	service.exe
Token: SeBackupPrivilege	2900	service.exe
Token: SeRestorePrivilege	2900	service.exe
Token: SeShutdownPrivilege	2900	service.exe
Token: SeDebugPrivilege	2900	service.exe
Token: SeAuditPrivilege	2900	service.exe
Token: SeSystemEnvironmentPrivilege	2900	service.exe
Token: SeChangeNotifyPrivilege	2900	service.exe
Token: SeRemoteShutdownPrivilege	2900	service.exe
Token: SeUndockPrivilege	2900	service.exe
Token: SeSyncAgentPrivilege	2900	service.exe
Token: SeEnableDelegationPrivilege	2900	service.exe
Token: SeManageVolumePrivilege	2900	service.exe
Token: SeImpersonatePrivilege	2900	service.exe
Token: SeCreateGlobalPrivilege	2900	service.exe
Token: 31	2900	service.exe
Token: 32	2900	service.exe
Token: 33	2900	service.exe
Token: 34	2900	service.exe
Token: 35	2900	service.exe

Suspicious use of SetWindowsHookEx 43 IoCs

pid	Process
2912	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe
2384	service.exe
2624	service.exe
2616	service.exe
1800	service.exe
796	service.exe
2744	service.exe
1392	service.exe
2436	service.exe
1588	service.exe
2084	service.exe
2668	service.exe
2488	service.exe
280	service.exe
264	service.exe
2940	service.exe
2816	service.exe
1540	service.exe
1688	service.exe
2840	service.exe
2684	service.exe
2524	service.exe
1304	service.exe
308	service.exe
1252	service.exe
2984	service.exe
1700	service.exe
2816	service.exe
3064	service.exe
2180	service.exe
1052	service.exe
2760	service.exe
2552	service.exe
2240	service.exe
776	service.exe
1636	service.exe
2992	service.exe
1928	service.exe
1692	service.exe
1960	service.exe
2900	service.exe
2900	service.exe
2900	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2088	2912	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe	28
PID 2912 wrote to memory of 2088	2912	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe	28
PID 2912 wrote to memory of 2088	2912	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe	28
PID 2912 wrote to memory of 2088	2912	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe	28
PID 2088 wrote to memory of 1300	2088	cmd.exe	30
PID 2088 wrote to memory of 1300	2088	cmd.exe	30
PID 2088 wrote to memory of 1300	2088	cmd.exe	30
PID 2088 wrote to memory of 1300	2088	cmd.exe	30
PID 2912 wrote to memory of 2384	2912	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe	31
PID 2912 wrote to memory of 2384	2912	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe	31
PID 2912 wrote to memory of 2384	2912	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe	31
PID 2912 wrote to memory of 2384	2912	6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe	31
PID 2384 wrote to memory of 2768	2384	service.exe	32
PID 2384 wrote to memory of 2768	2384	service.exe	32
PID 2384 wrote to memory of 2768	2384	service.exe	32
PID 2384 wrote to memory of 2768	2384	service.exe	32
PID 2768 wrote to memory of 2152	2768	cmd.exe	34
PID 2768 wrote to memory of 2152	2768	cmd.exe	34
PID 2768 wrote to memory of 2152	2768	cmd.exe	34
PID 2768 wrote to memory of 2152	2768	cmd.exe	34
PID 2384 wrote to memory of 2624	2384	service.exe	35
PID 2384 wrote to memory of 2624	2384	service.exe	35
PID 2384 wrote to memory of 2624	2384	service.exe	35
PID 2384 wrote to memory of 2624	2384	service.exe	35
PID 2624 wrote to memory of 1268	2624	service.exe	36
PID 2624 wrote to memory of 1268	2624	service.exe	36
PID 2624 wrote to memory of 1268	2624	service.exe	36
PID 2624 wrote to memory of 1268	2624	service.exe	36
PID 1268 wrote to memory of 2328	1268	cmd.exe	38
PID 1268 wrote to memory of 2328	1268	cmd.exe	38
PID 1268 wrote to memory of 2328	1268	cmd.exe	38
PID 1268 wrote to memory of 2328	1268	cmd.exe	38
PID 2624 wrote to memory of 2616	2624	service.exe	39
PID 2624 wrote to memory of 2616	2624	service.exe	39
PID 2624 wrote to memory of 2616	2624	service.exe	39
PID 2624 wrote to memory of 2616	2624	service.exe	39
PID 2616 wrote to memory of 2424	2616	service.exe	40
PID 2616 wrote to memory of 2424	2616	service.exe	40
PID 2616 wrote to memory of 2424	2616	service.exe	40
PID 2616 wrote to memory of 2424	2616	service.exe	40
PID 2424 wrote to memory of 2528	2424	cmd.exe	42
PID 2424 wrote to memory of 2528	2424	cmd.exe	42
PID 2424 wrote to memory of 2528	2424	cmd.exe	42
PID 2424 wrote to memory of 2528	2424	cmd.exe	42
PID 2616 wrote to memory of 1800	2616	service.exe	43
PID 2616 wrote to memory of 1800	2616	service.exe	43
PID 2616 wrote to memory of 1800	2616	service.exe	43
PID 2616 wrote to memory of 1800	2616	service.exe	43
PID 1800 wrote to memory of 1684	1800	service.exe	44
PID 1800 wrote to memory of 1684	1800	service.exe	44
PID 1800 wrote to memory of 1684	1800	service.exe	44
PID 1800 wrote to memory of 1684	1800	service.exe	44
PID 1684 wrote to memory of 1948	1684	cmd.exe	46
PID 1684 wrote to memory of 1948	1684	cmd.exe	46
PID 1684 wrote to memory of 1948	1684	cmd.exe	46
PID 1684 wrote to memory of 1948	1684	cmd.exe	46
PID 1800 wrote to memory of 796	1800	service.exe	47
PID 1800 wrote to memory of 796	1800	service.exe	47
PID 1800 wrote to memory of 796	1800	service.exe	47
PID 1800 wrote to memory of 796	1800	service.exe	47
PID 796 wrote to memory of 576	796	service.exe	48
PID 796 wrote to memory of 576	796	service.exe	48
PID 796 wrote to memory of 576	796	service.exe	48
PID 796 wrote to memory of 576	796	service.exe	48

C:\Users\Admin\AppData\Local\Temp\6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe
"C:\Users\Admin\AppData\Local\Temp\6d11e8172aacd4fe376dec7b3ffba201daa87d8f442499e020175374be48c233.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempRSXEF.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JIVCLVTDYKDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1300
- C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe
  "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempJHPBI.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AONHQXIEPIJSWXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2152
- - C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe
    "C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempTOXOD.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1268
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LYHITQOSNVJKDKK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe
      "C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPYAUT.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QNBNYVBTXSOQCIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2528
    - - C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDGIRN.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVTXLBPKIXNANPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUKECJSIOGWOCMD\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:1948
      - C:\Users\Admin\AppData\Local\Temp\RUKECJSIOGWOCMD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUKECJSIOGWOCMD\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVIKFDGVJQLPAMY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "
        8⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWKLHFHXKSBMRCO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDVMJDTNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHUFDI.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OACEQRMKNDQXHSX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
        11⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBKBTKHCRLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPTOWK.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SFHCACXSGNHMJUR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAAGDS\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAAGDS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAAGDS\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYFGDM.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDNWUEBLFGWPST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBLHUU.bat" "
        14⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PNRFIECTYRHHJEA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQIGR\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQIGR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQIGR\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFOBXW.bat" "
        15⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KVSQUPXLMFMMVQQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFTBOO.bat" "
        16⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WAXLXJHLCNSLBBD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCAJXF.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPNLQDHDARXPFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVLYBGPG\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVLYBGPG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVLYBGPG\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMVHNS.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNEWOKFVOAPYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDSXQGQKILXAYGT\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\HDSXQGQKILXAYGT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDSXQGQKILXAYGT\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDRYHT.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LMJRDKPACFQSNLO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIRNVM.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXGGRYOMQLTHJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKE\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKE\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPUGEI.bat" "
        21⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYQMHXQBRBQROXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTSISMKMCHVUHP\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\JFTSISMKMCHVUHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JFTSISMKMCHVUHP\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLYGPG.bat" "
        22⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWIGKFNBYCVTCCV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDJOBE.bat" "
        23⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ARJFAQKLUXYKLIR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "
        24⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIIKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPIMNW.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "THSIEDQGUQOTFSU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe" /f
        26⤵
        Adds Run key to start application
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFGPLY.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTSWJNJHXVMMOJC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWSSGP.bat" "
        27⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLXTRVQYNOAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKLVQE.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBPFSOMRDRTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPXODM.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LIIUQOSNVKLDKKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGCWRFMH\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGCWRFMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGCWRFMH\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEXXMU.bat" "
        30⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVSTFLST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGYXUU.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJMBPWFRVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBINAD\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBINAD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBINAD\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQYBUU.bat" "
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQNBNVBTXSPQCIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSTPNPFSAJAU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFLQ\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFLQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFLQ\service.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWHFJE.bat" "
        34⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IRNIYSDTCSTQYLR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNLOEJXWIQ\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\LHVTKUNLOEJXWIQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LHVTKUNLOEJXWIQ\service.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJSNWN.bat" "
        35⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXGHSYPNRMUIJCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDLF\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDLF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDLF\service.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTFMQC.bat" "
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDUMIDTMNXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVGAOW.bat" "
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RVSGSDCGYXUVHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe" /f
        38⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "
        38⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYKEJYXGRY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe" /f
        39⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUFYNW.bat" "
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVSGSDCGYXTUHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe" /f
        40⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLGPYWHDOHIYRUW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe" /f
        41⤵
        Adds Run key to start application
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        43⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe:*:Enabled:Windows Messanger" /f
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe:*:Enabled:Windows Messanger" /f
        43⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        43⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        42⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        43⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempBLHUU.bat

Filesize
163B

MD5
9af84bd52bfdee58fe9772c396bb0745

SHA1
a06a7a7517a23fb6554d46ac81fbe6f163ec1b66

SHA256
955591f3e916d2e2c2de1c19cac87bf4f2d2b3944a0a3716ba729649956347b4

SHA512
3d8e8b5951acfcd487eecb842cd1309dadd77cf510c6fab19b8e0145cb4ef843910cd771df98bb192dff89baf9f0e92a2c19f2e5da23b7811f8d08bfc854e1fd

Download Submit
C:\Users\Admin\AppData\Local\TempCAJXF.bat

Filesize
163B

MD5
090748bc9602416f9a03c48ad61ffe32

SHA1
408364315e7c18e1f13ee32b2b0bdfd83418bf24

SHA256
1c9f4bb3392dacdaa6b8db0362ab5061a0847de96bf346840cf12fef4de95ba1

SHA512
4204fb2973487a41223d33970709cb683725113ff16854d793f28e0a2bfdbccfa48be98ebcfd9d9cdad3c385e3cb7697c62c4fd349333ca8b425e22e1a8ce007

Download Submit
C:\Users\Admin\AppData\Local\TempDGIRN.bat

Filesize
163B

MD5
4bc2685d30477d1389c915e12231944b

SHA1
9b4b76696114ceabbef42bd5ec35b8991d87a19f

SHA256
60e3b5fb71798cd0aa0c39d8a897cd916f0334c5187433b42505260fff5ef706

SHA512
4d24c2108e932d9dae0fd9a75c5f4f2248a4d0474221f67c5578f34766faaa4465441ae673135182b6133c89479f442614fb77266790dc139e27061b9cfa907c

Download Submit
C:\Users\Admin\AppData\Local\TempDJOBE.bat

Filesize
163B

MD5
8bfd96d11f3de471840c0a7a4cb3eae3

SHA1
4e1278804038130879e42dc7eaf74ca77b02e0c5

SHA256
2c62c46f53705296fe090c62b16526a9f4e9456ffd7ddb4288dcde251cec5648

SHA512
8f2ed62b1487717444ec2c1a3e80dd52ff883bf6e7636e44b4ab197773e718a7e9375baf5dd906e7da740c385a13227866ee1bc7897be2a98b7baea77944d653

Download Submit
C:\Users\Admin\AppData\Local\TempDRYHT.bat

Filesize
163B

MD5
a3d2a1fdd26b19897055cf0354f53f02

SHA1
9da660d0a6b329c46173cd2b0d138c3bd1cf7a8a

SHA256
a4cf9316d3b271a457e2dce1eb7d49373cf85a8ef30ca2161398e0297db411bd

SHA512
0c8b3c6e3ba818054b904a03a5e77f8e2b2aede6c4577b7e2b6587f91b69f141d985732d4ca11722866d8630ba51540176ea2973e3e435ec826d9988507e2a77

Download Submit
C:\Users\Admin\AppData\Local\TempEXXMU.bat

Filesize
163B

MD5
e5de1b650a040f7ed8e3978daabc5c28

SHA1
db4850e5559f3819fac04fdf8f26e3e49236d3ec

SHA256
2b2495ce7a09174320c02e2c2de22fbd6b9a994ee0db0a431f91710d99e1ee1b

SHA512
d6086ff2a215c267d9b1d4107ac792d39dba76cd172f4a4160a90100b70986a8267ef229b8e82deec6e19e62260297de9a2bb8305fbe8e387b493716f5d7ac6f

Download Submit
C:\Users\Admin\AppData\Local\TempFGPLY.bat

Filesize
163B

MD5
7321dc83efd654ee2b765694c059ae1a

SHA1
c49b071bb2dd8c44934df9826539b31a7deec795

SHA256
66adcee4dba8cc420d595fbb1f2236c78cb105b8fc0a5f0bdb34ca438465151c

SHA512
2268932fef898fd95eec7089ee6c1d56a352b8e6a8a5f972f2faf21e6fa0998cede6371c6b2b1fb3345d833537b66106f621bf567cb55380a5996ba4bbb4d9d7

Download Submit
C:\Users\Admin\AppData\Local\TempFOBXW.bat

Filesize
163B

MD5
c0fad530c81c2e080f341181498c4210

SHA1
62cd0bf16fa89ab3f2c56fe3cccdba25c9faa96f

SHA256
3a5871462a0a456e25b76bc9f27d2b5deb7086272f0c35fb76dbd028ccd13c64

SHA512
beccd6433f2fd52a31bdbedf0df23bd833dfb3d67426de104bd9788897f8ad0c8b7a19d897d33b2032682e0e6f833a9f4f57f905aa6082bf7a381fee8d4c5811

Download Submit
C:\Users\Admin\AppData\Local\TempFTBOO.bat

Filesize
163B

MD5
9289d04655d55a3601dbfb76a5eab54f

SHA1
d466dde4451583fc4b4dfd0216c4765db8d5a5a6

SHA256
3da84c962c75e6e9855b31f318e6711d960210f568c8d2d72ed68471dac40c95

SHA512
4f041ca86345e9cfeab3c174d5c2e4518519a61a64738b8d87befca9d2d300e216bac9aeecd2a7ac95b408847fbf8672c93d79e23922e0c9f9cc007307284a33

Download Submit
C:\Users\Admin\AppData\Local\TempGYXUU.bat

Filesize
163B

MD5
fd5694efaf2c6554304de2e815bae5bd

SHA1
99666b647cd5d2d90b385ebf09f5309cebdf603d

SHA256
782adde119da1692e215623a4bceb0ee1eb9e107428069e68c4809da4d501feb

SHA512
cb647362e661f08b394bead3d269a6f4e117556104495692a2febdffb8c8e0c433d73ac17da0d2026f507f2c9690bada9d7827f725c8876f3b9f0d109cba55fe

Download Submit
C:\Users\Admin\AppData\Local\TempHIFOA.bat

Filesize
163B

MD5
cdfa77971a1f9127b97660a76d4fb58e

SHA1
875b079728e19436dd88625936b1006a4ad03e07

SHA256
b299f4cb54fcd5fc0b66cd58f10dd34a3edbc01e542cb6ae3f8e2e23cf29c2e4

SHA512
74fc432277874fadebdfbc3ce5e2c2b299fb4eefdcd9fb971664eef39fdf29e5e4fd5f6c1befe62065a5a4827cf0d99f33336da413343e1e1e9dcf01702037a8

Download Submit
C:\Users\Admin\AppData\Local\TempHUFDI.bat

Filesize
163B

MD5
91691d34b8f68ca3af91674578b0cdac

SHA1
c2db0489e1f8cab977454361fd7c6194978ca08a

SHA256
9242c0db52f1175a9e14dd9ac5e468a90251a6ed7e5d3fa351bfd3a6fc4c5fe9

SHA512
427dffe9216291ec332553254b9f7a8712fe69b91d7d79c14a9964d1d51770b9b2bd0a77aab7d3db92f7cd07b33d454e6ba244c9a0e76295b0ef202480fadbe9

Download Submit
C:\Users\Admin\AppData\Local\TempIRNVM.bat

Filesize
163B

MD5
2a68604252ca51ebbea26597dc2478e7

SHA1
4ddd87e1cf3fce03d24f98e54c78afffa5fa1896

SHA256
bb71df9c9ef903936d6262469a5ab4af2a1ca0b39d03ea3c4961b885651febc2

SHA512
962578b93c55a25030fa80efd44497a9d2ed90133a30c98cb7c02aeeda8ad6e8fca751d568d5a718a0bd0b17406aab428d3ead3351a4e6cc9ad0d165dbc37e7c

Download Submit
C:\Users\Admin\AppData\Local\TempJHPBI.bat

Filesize
163B

MD5
00b7af44531088a30a6650987a99ac2e

SHA1
7a862f2ac92c365d7aa9372c89dcce37bcf35510

SHA256
31cc9867679c60f20a00e3e5d05d20dc63a7b0e915a1889fb153195164c4fe65

SHA512
d50df0c790741e63dfdb7baa4b59a3133c3f8ab8e699fe34e016d871aab54e3c7947a5693aaed48e19ba4d2ab313c17460d9c6eee5a1c003214a2a3946f2b722

Download Submit
C:\Users\Admin\AppData\Local\TempJSNWN.bat

Filesize
163B

MD5
e42b648dc7dbcf54caaa990caad4db2d

SHA1
6f10df50534d91a67f7763e367755be3e79a2b66

SHA256
cef76bced8fd1c751f7a1e600b71be3198b604e2279db671d0d8196c69d620f7

SHA512
886d13ebbe75df5ac300f7d3ada41b764ab82a8c7032223886ccbc5119cef6fbb22612ac44a97cfc010d87fcda541937ce18c3148eb765d981923ff3c3b3f928

Download Submit
C:\Users\Admin\AppData\Local\TempKLVQE.bat

Filesize
163B

MD5
48f305858e08e144c3f5dca8a157d345

SHA1
17d9277acdc7217cd0c1a168179d0417f58795eb

SHA256
ee427e0ebf2ab2f7781827e950a318eab8b8539919b84d5d442bc288be6b2ee1

SHA512
7055def9b03d4efd9e85951edf03654a71d2a8d8066066a2823d7c0c76d70924088b9680fdf76477546e11a5177d82a76cc7b4b7df14bf6017a670e318f88b18

Download Submit
C:\Users\Admin\AppData\Local\TempKWHGK.bat

Filesize
163B

MD5
cf8a990610309bae39254c5188f095dc

SHA1
7b4fd2489d14e1bb719769065fe379cc22d2c6a4

SHA256
02da0215a73f19c3e59fe22818cfc6feeb9f119e48659f3d4093b35d80b3cbee

SHA512
859f0b2c57d6f6539d238c5ce33acd166770c7f17a3e0675fda5308ec501d7749d1112988fde8d23a776624e600975a7aff624d15a747511651f14c02dd27a88

Download Submit
C:\Users\Admin\AppData\Local\TempLHVUG.bat

Filesize
163B

MD5
de69c25118df8838f32524d5b65053ba

SHA1
d79b8934dab391b2f85b02ec96a6cf696e23d29b

SHA256
40bc559d58b0e666ed60c4caf6195b223cfc22e29d8c3a3558037fd37dcca921

SHA512
71fb69382480d582d5d09e9458754c925e45eaff1a3d5c9835895de02fd930a8b1bfa9008a1ed1b8ff2ada1d29742cc5eaf96af9dd68186f95ee97b9075d5bbe

Download Submit
C:\Users\Admin\AppData\Local\TempLYGPG.bat

Filesize
163B

MD5
0101271ec072de7e773c79682aeb2d58

SHA1
24e54a318756f07ab1eb2aaa27eb623f1c271653

SHA256
fbe1785b106c27aa69f4c49646b0af10a9d7d99903214db8e12fd2abfc1fa958

SHA512
700beae2ea47b7792c1ab42e846f9318c3be9d4d2fa885a9d5c95e80a2eb53660425fac92403721f222c51fa751b2ad111f5f5d143c042265584c8df15a2fa3c

Download Submit
C:\Users\Admin\AppData\Local\TempMJSEK.bat

Filesize
163B

MD5
775ec3b4efc6595cd8d02fedfb1626a4

SHA1
5a754eae8519fb493c4edbfbeeb02c2deebe3cc8

SHA256
59950a30c9d19865dcc01114a0a21c0faa3651f8439f8f62e867c2818602a73a

SHA512
ba8de1c4d639645943b6bd69cb972c20ad2aa4c9367fcec08a6ce1affd7878eee8efec5c237d84c4db2b60eec76bfcd13bc41f7a34b40514a40b1cea1d9f22a0

Download Submit
C:\Users\Admin\AppData\Local\TempMVHNS.bat

Filesize
163B

MD5
6ce931fff51c553b6f9155fe92023586

SHA1
97f7096809522dd0db95b052be9deed33cf566e1

SHA256
26fe90c0a595f3d73d39df2865d49d1f63a51b94e0758faab3b025de8e8736e1

SHA512
1eb74627887ee7a61293ca6dec4fe45139a08dba9c4a458d9c8b4dbba0423294f02ba300045ec5333d07549e46d855eaa7ef6f4053b9f9a3068d2976f05ca605

Download Submit
C:\Users\Admin\AppData\Local\TempOMQLT.bat

Filesize
163B

MD5
6718f05350534884b05f7786fdf96d02

SHA1
a8a9bc6192a15d8defa62fa08f7573190c39370a

SHA256
63e53ea431e5720621cc8483a59ff63e299be5e1986af0bf759d4a930bd67213

SHA512
a94512a13f9471a450a59156108131cc69156fde14e0bcc687cff442077f30503d73fe0e51c729bc2a354469a91fdd771e233a64904516793ccdf1ad65b5eea7

Download Submit
C:\Users\Admin\AppData\Local\TempPIMNW.bat

Filesize
163B

MD5
b374b87182b0ad8c7d1482637b698bdc

SHA1
b93911df65061639a95afa4093b4f6a549a10b24

SHA256
470ae8a725561a00552d69c1c085a4caed86af6233fe2312677b7c2ac71f9e9e

SHA512
de5165c2e44e4c1625bc376e979587feb75bf8d7f36417ac5b2e86537e2bbecaa3134e40c9fe9c296cf0a85f24ef97283e46c92248fdeb1f718abdee3d89e4ae

Download Submit
C:\Users\Admin\AppData\Local\TempPTOWK.bat

Filesize
163B

MD5
291ed414d4c87fe10ea637baff7ad468

SHA1
956a0855724484badaf129749c8efb0cd94a2b38

SHA256
4b81ebce71245b377bde95b518a88d474887e3d553a6020224310fce999ab228

SHA512
b89404ba6755f460ff4a3b830b38ee6392860f5d436c9e8e76021770e9280457603050d3ce4aa5b893a7575ad42ce61e5f651f9e06145e912ba1a294cc36c131

Download Submit
C:\Users\Admin\AppData\Local\TempPUGEI.bat

Filesize
163B

MD5
b0d5ffdef5dcae234ba39b231139bd26

SHA1
230950396ebe5e88ee682fb1b971c522b4170ffc

SHA256
5f0cebc07f05ebb1b5cf091459d9909611b4917d33430f2359aac74a6c8cee9a

SHA512
0b0fbc7530591c664967147aaaf1073e5ef613e3a62eace91dc93f86947f4c1ff3209e90bbe07c86d400ec395ebe266d24310e2aefae1b88c2d2cbc01a10296f

Download Submit
C:\Users\Admin\AppData\Local\TempPXODM.bat

Filesize
163B

MD5
7236fc24f721acf7974a7b7b513d4f4d

SHA1
7c39337222baa013550fc81333de74790aa60aa7

SHA256
04c06509671f85cc6a3fb36036f24eb0331985e20531814fb7799a9263ad629a

SHA512
c55cd3c168efd436e9f3432b49f0be043a080e5cd2f6ebfce773b59d4790aa24c089033aca91d24172ee0f50b4a8f3574139f5ef0aa22cdd9a5f725a946f3852

Download Submit
C:\Users\Admin\AppData\Local\TempPYAUT.bat

Filesize
163B

MD5
02cd476fba54ade174be11bdcb7658de

SHA1
eb7193bda0ef75edfe70e7d1570e12df8c1bb5bf

SHA256
318cff7056317ee7472fdcc4b5cb2c43016b085553226700e64cce1cb19f589e

SHA512
4fbcefd272d8bce878d095c7f287f08e7fe5bb38b68d04f61d8fc1a9013558dc3ab4f6c170e9539849eb50d41d1457cbd5c54fff400dcc50f3a77f2ec2decd5f

Download Submit
C:\Users\Admin\AppData\Local\TempQYBUU.bat

Filesize
163B

MD5
da20af3ca3dbd6a196bdfa7c8cd6c44c

SHA1
a3e81f3c07be2c0e0b9ed76426e444194afd7fb5

SHA256
4683007f34d1c87274ec8a80f3842a7f0f9f819a91353e2fb80956168731f7d1

SHA512
a425082c3e141d6038981355c0a4a659625f4339d68da13d5e92ee109ea04c266fdc1a1b316fd8e4490feb20586e2aff1a8db530192c75701bb6c536491f5daa

Download Submit
C:\Users\Admin\AppData\Local\TempRSXEF.bat

Filesize
163B

MD5
f4c9637065bd82d7b13e58d78ea9f2a7

SHA1
a130b2d20b67134be48958ed09f1e9bc464050fd

SHA256
e79b50d67938fd1813f76ea80f85a9959d4358ff9762cd29bcb2c3aac8685d89

SHA512
6e0e931555be93c2ba97bad30f24271b6f643c8d83f2b08e766bb277c4282bbf51776644e4f9fe9a228d91aeba1906b1142f668eb8055ee50bb0c2e1d87ee105

Download Submit
C:\Users\Admin\AppData\Local\TempTFMQC.bat

Filesize
163B

MD5
cfdfb84e49dfe6847ba1e17c53f35159

SHA1
da77ba105a48ad835fca9989a6af15f572bf5417

SHA256
51357c19a2d9039d8dbf64b780ede97baf3eadce3cc700c89036572f402954ef

SHA512
2c99745c2285234c0aae43c336231b54b3e595be42de1f5673afebf6fb2d9169efa310a372db192d1e9c5db1d5b556e48d7384bff4594e8e86c6ab47858bbbea

Download Submit
C:\Users\Admin\AppData\Local\TempTOXOD.bat

Filesize
163B

MD5
c8d316c3aa2dd7a63998c60c132e8ab5

SHA1
8c1019afb6a9f4c520e688aa92e436cbb8e97f83

SHA256
2915e5a438a255809b986a460e5df6c651f71bf1d3493ee520f9e1e8e262a6a0

SHA512
89daa56405e81dd6694c04ee30d841bbb61eab33c4a426a5b9c6e7f998d3d755fc59cbd4e765565516f3182572b890ffbeb9cde29bbbd4056b8c32ac6dc908f4

Download Submit
C:\Users\Admin\AppData\Local\TempUASWR.bat

Filesize
163B

MD5
a3e636817c81440b8ec8f4a3fa40fe14

SHA1
7ce060d703b153db843dc9c98bd4d751fbe06292

SHA256
e9336459ff6c1d72c98003c12815003c4405a650da6ce3d5aac4ec3b2906c12e

SHA512
90256f066693580819968efbaa7c70955b49df02bede8faa27c6b9ac8de6231ed31d16f7456e69779e64dd4c52d2d4f0952db5132b2b335a6518e6cf57a97a4d

Download Submit
C:\Users\Admin\AppData\Local\TempUFYNW.bat

Filesize
163B

MD5
808b10324ef2c9f3667a72caa4dfa7fd

SHA1
21dc798bf9ae600cc0cd31745caa77cc4fedaa2d

SHA256
3e0a9595d08e5c5dfe573208bcfeee5a3773e82dc0efdc9e15d9a91ed7fe0af4

SHA512
8cd4978bfa56dd1b967205e32c7eb027d6b106958a0bc06d12b579a0523647c47cd1054446e85f832336b73140f5be351d9ab8c2426127c5f52e6646b51a3d59

Download Submit
C:\Users\Admin\AppData\Local\TempUGMRD.bat

Filesize
163B

MD5
1ec7e3ccc363d8da29003f6ca9f20bcb

SHA1
0f0f489d7aa81ef3940691225309146a6831f60c

SHA256
abcf81cc40c7d02722b4e7ec09f9acb87ec53d01704592e4cc80c829f87db94c

SHA512
bcdf328821e26d27e9f8d3736e33601e50ad69ea511f3f57fba0d2b5318955418deceb86fac03ce316b0749170f34293870c2a4cbbf2ca770fcc8d98c9fb71e2

Download Submit
C:\Users\Admin\AppData\Local\TempVGAOW.bat

Filesize
163B

MD5
fe5d4ee7b49b20431a910d565c5f9b9c

SHA1
d73a6dd3a7d59b7fef87d81cb2f048dbf92535f3

SHA256
52e8d88a6ffda3384fbfe8cd9e9b3a5a93548d14473452b6fe88443ea3c04736

SHA512
f41eb2dbbd558429f606bc59d02f205933bf54f5a2453d880dd1a12819fc91f55c47bea6bcdf81dccee60f5cf79294bfc82b8b58a727e8006b7e75737a4ae99a

Download Submit
C:\Users\Admin\AppData\Local\TempWCUYT.bat

Filesize
163B

MD5
30e8fdaa6b3040f4afc9fa2b82cdd361

SHA1
f36f66e8c59e4516c509575456f9392fe6a92cd8

SHA256
fa345111a2b398e6eed8970c9cc7a6f7d10b31d2d2d2ec675248862e38ad4e0c

SHA512
f3ba4a384e50f5cb163892419c2718fe1f44e145b9c3a01d48a59fa9b97dad1508ffbc9f4ba92c8fbb359386c2b537ea8ac93de9b1f8ae370098efcdd2a82d64

Download Submit
C:\Users\Admin\AppData\Local\TempWHFJE.bat

Filesize
163B

MD5
c978b55a6a43701ff67a1a86702215a1

SHA1
0c93846d216a8de44f602d8dbbf971e07bbc609e

SHA256
e4dd4c3bb8f76adedffec7d4de5aa34e86b33fad942d7350a5fff825a4cf4251

SHA512
ce9a8e620af08b6b39ecc3a1cf2cf860ebf719f16c353a849a3dec027b33007c67d9386d58f7ad5cecd45fe83ff0f9227169011dee5b0919e776c79b2a17f683

Download Submit
C:\Users\Admin\AppData\Local\TempWSSGP.bat

Filesize
163B

MD5
1a5ffb40bb1b61b3f2de211f85cb4452

SHA1
29109dfbde3136692272d25d2d366334885c34ef

SHA256
829b3c15ff9c57dc1ceaa8a4270a42885c7cb995198164721e5470fb4bada793

SHA512
01351190368e3c557103977be10a37f2dad788178af57888e50a98d2e0ca69f8b7a4a1b28df5143d149a745d0292cd4eea9c20e3d9b0003a44398f84442248ce

Download Submit
C:\Users\Admin\AppData\Local\TempYFGDM.bat

Filesize
163B

MD5
5862b865fb672778d7961c4ab0ef6665

SHA1
df4d8f9625900cbd59fa85ee6d4879d91eb7ccbd

SHA256
ce6f93f0564bac1b00ceaf71511b142a9c1c4556b92983a6cab0bed7f9b4ce42

SHA512
09f3dab9cd912a402ac628a9767eb54a3fdb80017ec7d0561a0ffee400f3b299817b0bd3694d57be4b74d5639d82d49134ce19d2d5a542258d3ca0a2b12b9e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe

Filesize
520KB

MD5
5991977b1f5d4ecfcc88cdf187614c86

SHA1
8d0aa664607f4cae65c51dae797e436771d0d3f7

SHA256
b19d37be669feebd6e85bc58f9f98ab2852bcb999f794343714104021197cd31

SHA512
2f50e2230938541e2cf958b90b7692fff466bf59c2104bb1079b0be3cdde850b38f13a930b1a9b90c35c306403c04a5e302af08130e4bde731ebd812eb5a0327

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe

Filesize
520KB

MD5
7b02813ee5f9247c812f2bada3c266a0

SHA1
3b2ba0ad1a43e80d60bbed5fe99ae5c9c3e8658f

SHA256
63915a6684b74873e5af2a88591f368eb711575a2c25db5be1211666300491b9

SHA512
7ff52c3c732e94d16b27b8928593f6298773af6b8dfd721186e5c2a91a11a17ea6e36a8c39eb8a22369192e708138d5de9178c95b861bca5eb751391e01ee849

Download Submit
C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAAGDS\service.exe

Filesize
520KB

MD5
7c4b18b557250e197a95da9cc454c452

SHA1
7ec5eb4389318145d2767007c93b5b3a710bffe4

SHA256
3a4f048a8a0e0b7d0506bbc5583ac25b5ee6427d40116924a109857a67a12098

SHA512
6f23c20a904014c04e2420c38c7a3a6236ffd3bde3b61079e4241dabc57d70086e6d2822d89f8f35159af75e7db38f2c5052b94b873cf8e43a613b5827b06749

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQIGR\service.exe

Filesize
520KB

MD5
16bf3eec9c64edaa1876ebb69e297aac

SHA1
dcdc90e8b66c30cbf272196c8774fb559bdd3310

SHA256
98924056eab90ce792c0efd4a1888e0b0b98dcfdc0e4d5b94fd3456634f27352

SHA512
ce18be67e44a5636aef2a20ad2f95f0faa1413ada6a8aa20ef8067e0dad52b92d716b76cf07cdd2c0a7bf282dd793649ae4dc77b24761a3498e9f65c82813841

Download Submit
C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe

Filesize
520KB

MD5
65434ba43da136d8d0206d2d5523f7fa

SHA1
ade3150371a7ce5a9d4c0098171908caa897985b

SHA256
4a6276e227bfc16f78301a267a3d0b8658d373bf349b8640ef6212cf9fe688f5

SHA512
6dee909699f05eeb2cb91d4d4de5395fb7dba89bd08958fa108213c17eb7389ab92cdb77c6a02bda6d25e1e73ef66782af7ceee9824ee30868e24528fd0a6da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe

Filesize
520KB

MD5
f09ef6ea611d8c2acacddac61d1935a7

SHA1
cdb9c3f41110f9d708fd773a3d1b3e306f1a27ca

SHA256
1a11b6a0e0b063cb6c1a4d19f8e978ad4aa214e131840aa68adcefe7a0674478

SHA512
57cff3603022f13370bb886c30485ddce8f07df779d13902c6c8acd54e21dcb80556f12ac05359e3d9c4c897bd43a86a6dd86f48212650e99674f0c636146df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe

Filesize
520KB

MD5
20d9b6f399ab99f4759bcdf421b9b961

SHA1
87fcc017519fb231b1f3748da3f592ccc60a7e9a

SHA256
00ddd89430fd53ef6e9d5a76ba8b8ffea80e011735a5e865232b14a064f92c46

SHA512
6d6c7d2503f3e0fc484d70a274e87ca74095d29444ffdef2dbdbdbdc37bc97ff351f6c534b717a0621b65e511b33b785b2f804293d9533a810675a608668a416

Download Submit
\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe

Filesize
520KB

MD5
15a9099b4e9fd5ac49105b12065be1cd

SHA1
90203e5174b5ddeb5b69fbd77c8df6a46bfcea6e

SHA256
9c9a512fadd8a6eabbc34efc2aa8aa7481a49d6e47523a0b8f28c8d6c7d25ea0

SHA512
fe9bfb70cfb54a8e1a26ec422379c02c995a09c5c1a7152245df3f75bad8468b5c04f25ef8fd2a447418201ef957e7245d1831fd29b4a22412f4971b6748abd9

Download Submit
\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe

Filesize
520KB

MD5
4a821383b85c15f8a5ccac8d015639d7

SHA1
3be30bf024647763d564e838cb445ba31da2bd87

SHA256
204efcb17bc8934b8cf19c976951c8a33882d084bd3b16d69de9ba364423909b

SHA512
0a5fd981221863b1a573760b9fe8d753e03d4290d44914ce86df8c1537d883c2bc59a9862795fa4e3e2d8880056969b69ed1d7c6bf23528038753ed1bfbe7320

Download Submit
\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe

Filesize
520KB

MD5
cb20592ebf94c4eda4ce5b31d1887b9c

SHA1
b91026ee59d66fd3edcf3d3792fed64570d7fe68

SHA256
c024ee972138144dcee34851ea29927a75336a3438ee8e5ab4067de53f95aca6

SHA512
cd787f3b058b1f482643eb525bdbfaeae05f43065c570f13ce0d5fb745a6fb1cebd044f7fc8c8f8c1f665d1bb30542b511d74bd8ead843318118ddc0ed75d26f

Download Submit
\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe

Filesize
520KB

MD5
4ecd51ece31f8e72902258a2dd9435d4

SHA1
0c74c9ae4a06072faf329d95b356dd66ce151483

SHA256
b0f07e20ba19b104fa040f1f372c0222b4ff0f13fd88d0759d184aa5cd902d8e

SHA512
38dc813bb7b8aa385e6df7a03346b86b5ea3ad63d38e8096b8cc37df8774c2a8ef707e52b859d45978b948d3baa54ab65b459cb4d48dc4192be4b8bfbb6134c8

Download Submit
\Users\Admin\AppData\Local\Temp\RUKECJSIOGWOCMD\service.exe

Filesize
520KB

MD5
737d746e9522095f8d4a332b8119e097

SHA1
e599d0e977d7f848eeb09975c11fcf977b838e93

SHA256
b61b440119b5c6779ebd47c72289de19ecd5fe70b2b2d0655f2e8965b9ee7be0

SHA512
6532e81585a25e0d280e6858c2e2f9bae2effe26ff2ed742bac4abb364ad5860569b86759e8b0cb2fbac01ab6ed202c3653246b2bb7bbbc9e78dbad457223042

Download Submit
\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe

Filesize
520KB

MD5
435432b33f9ff32db0f94b4475008021

SHA1
c343b615c06ed89b8449c2761c84b54b5914d67e

SHA256
9d9c4ba7fd4c4c9e8ba556e70723ab5f1908c2d92af9596c8972a56596b4c2ba

SHA512
421b6cd95e771edcd83428da5ed6ce1f2aff33138599b8d83b785ea5406eea683796493eba10d89742da419e7d1981199bcdf2de15decc2ce65cbe8d39313f22

Download Submit
memory/1880-967-0x0000000076FF0000-0x00000000770EA000-memory.dmp

Filesize
1000KB

Download
memory/1880-966-0x00000000770F0000-0x000000007720F000-memory.dmp

Filesize
1.1MB

Download
memory/2900-1009-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2900-1004-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2900-1010-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2900-1012-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2900-1013-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2900-1014-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2900-1016-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2900-1017-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2900-1018-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads