blackshades | f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2

Analysis

max time kernel
147s
max time network
141s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
10/03/2025, 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe
Size

520KB
MD5

6171daa8191b44fd399b665185507d0c
SHA1

d2e308c57612313bc6bdbde0442e3c1906ca0caf
SHA256

f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2
SHA512

4325c597c31dcd5e281aa67e9388947c7cb083a08c772adeadc6cb3d63af3f3e89621e8d359ad4e8e04664d8550634029d93d193275189015109baeea84bf650
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXU:zW6ncoyqOp6IsTl/mXU

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 9 IoCs

resource	yara_rule
behavioral1/memory/1976-930-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1976-935-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1976-938-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1976-939-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1976-940-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1976-942-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1976-943-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1976-944-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1976-945-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPGLDULJAU\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 37 IoCs

pid	Process
2824	service.exe
2852	service.exe
2584	service.exe
1700	service.exe
3048	service.exe
1352	service.exe
2748	service.exe
1172	service.exe
2300	service.exe
2304	service.exe
2504	service.exe
1500	service.exe
2980	service.exe
640	service.exe
1932	service.exe
1792	service.exe
1600	service.exe
2308	service.exe
2924	service.exe
2528	service.exe
696	service.exe
3060	service.exe
2500	service.exe
2452	service.exe
856	service.exe
1960	service.exe
2396	service.exe
2912	service.exe
1296	service.exe
1060	service.exe
1248	service.exe
3008	service.exe
848	service.exe
2128	service.exe
1940	service.exe
2272	service.exe
1976	service.exe

Loads dropped DLL 64 IoCs

pid	Process
2116	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe
2116	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe
2824	service.exe
2824	service.exe
2852	service.exe
2852	service.exe
2584	service.exe
2584	service.exe
1700	service.exe
1700	service.exe
3048	service.exe
3048	service.exe
1352	service.exe
1352	service.exe
2748	service.exe
2748	service.exe
1172	service.exe
1172	service.exe
2300	service.exe
2300	service.exe
2304	service.exe
2304	service.exe
2504	service.exe
2504	service.exe
1500	service.exe
1500	service.exe
2980	service.exe
2980	service.exe
640	service.exe
640	service.exe
1932	service.exe
1932	service.exe
1792	service.exe
1792	service.exe
1600	service.exe
1600	service.exe
2308	service.exe
2308	service.exe
2924	service.exe
2924	service.exe
2528	service.exe
2528	service.exe
696	service.exe
696	service.exe
3060	service.exe
3060	service.exe
2500	service.exe
2500	service.exe
2452	service.exe
2452	service.exe
856	service.exe
856	service.exe
1960	service.exe
1960	service.exe
2396	service.exe
2396	service.exe
2912	service.exe
2912	service.exe
1296	service.exe
1296	service.exe
1060	service.exe
1060	service.exe
1248	service.exe
1248	service.exe

Adds Run key to start application 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WXUDDOVLJNIQEGY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBRMAHCG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMHQXIEPIJSVWIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYKAKDXCEVRR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAJXTRBWICWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERXOWKVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\INKKVSQUPXLMFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHGIDBIDYTHO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUSWKANJHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTJDBIRHNFVNBLB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\BQYQDEAAVQELFKY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESXQGQKILXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\FKYGHSYPNRMUIJC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPEDEAFAVQDL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAITUQOQGUBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGNR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUILHFWUKKMHADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPFLDTLJUS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\JYXFGRYOMQLTHIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PHXGODCDYEUPCKE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\LIITQOSNVJKDKKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEFBGBWRFMG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\LGPYWHDOHIYRUVH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNGFMVLRIQFPFB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\GFSIWSPAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOFKCTKIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\SQUIMHFWUKKMHAD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPGLDULJAU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\PMLPDGCAQWPFFHC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RRBNMNJHOJNUDOT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\INJKVSQUPXLMELM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGGHCAHDYTGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\FJXGGSYOMQLTIJB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIXHPDCEYEAVPDK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TPDQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQAYMMNIHNJMTDO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQRNLNDQYHSXH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBUKLIRDJO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFNFWOKFVPAPPQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKILXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\DSTQLRWHFJEMBYC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWPUNDNHFIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWAOERNLQCQSNGJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNHFMVLRIQFPFB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WAXLXIHLYCMSKBB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUTVQOVQGUCKB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUMCQMJYOBOQLEH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLRIQEPFB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MTXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTPKFEUVSBB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIFJEMBYCUSBCVK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIROIDDSTQLR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MROCOWCUYTPRDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMHXLSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\XLMIGIYLTCNSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENWFBPUFGDMEJYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HMIJURPTOWKLELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRGFGCAHCXSFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\XENXVFBMGHXQTUG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVCSOPLK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\PMRMTIJBIJRNWNC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEWNKEYOPMVHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\VJKGEGWJRALQANY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLUDXNSXDEBKCHW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HXYVEEQWMKOJRGH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGVFNBACWCSNBID\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\QNMQDHDBRXPGFID = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJBHOXAANTLTHR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDDFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWEMDY\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\LAVRMVHWBGVWTDO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOKXNXRPSDHNAMU\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2464	reg.exe
2940	reg.exe
2932	reg.exe
2820	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1976	service.exe
Token: SeCreateTokenPrivilege	1976	service.exe
Token: SeAssignPrimaryTokenPrivilege	1976	service.exe
Token: SeLockMemoryPrivilege	1976	service.exe
Token: SeIncreaseQuotaPrivilege	1976	service.exe
Token: SeMachineAccountPrivilege	1976	service.exe
Token: SeTcbPrivilege	1976	service.exe
Token: SeSecurityPrivilege	1976	service.exe
Token: SeTakeOwnershipPrivilege	1976	service.exe
Token: SeLoadDriverPrivilege	1976	service.exe
Token: SeSystemProfilePrivilege	1976	service.exe
Token: SeSystemtimePrivilege	1976	service.exe
Token: SeProfSingleProcessPrivilege	1976	service.exe
Token: SeIncBasePriorityPrivilege	1976	service.exe
Token: SeCreatePagefilePrivilege	1976	service.exe
Token: SeCreatePermanentPrivilege	1976	service.exe
Token: SeBackupPrivilege	1976	service.exe
Token: SeRestorePrivilege	1976	service.exe
Token: SeShutdownPrivilege	1976	service.exe
Token: SeDebugPrivilege	1976	service.exe
Token: SeAuditPrivilege	1976	service.exe
Token: SeSystemEnvironmentPrivilege	1976	service.exe
Token: SeChangeNotifyPrivilege	1976	service.exe
Token: SeRemoteShutdownPrivilege	1976	service.exe
Token: SeUndockPrivilege	1976	service.exe
Token: SeSyncAgentPrivilege	1976	service.exe
Token: SeEnableDelegationPrivilege	1976	service.exe
Token: SeManageVolumePrivilege	1976	service.exe
Token: SeImpersonatePrivilege	1976	service.exe
Token: SeCreateGlobalPrivilege	1976	service.exe
Token: 31	1976	service.exe
Token: 32	1976	service.exe
Token: 33	1976	service.exe
Token: 34	1976	service.exe
Token: 35	1976	service.exe

Suspicious use of SetWindowsHookEx 40 IoCs

pid	Process
2116	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe
2824	service.exe
2852	service.exe
2584	service.exe
1700	service.exe
3048	service.exe
1352	service.exe
2748	service.exe
1172	service.exe
2300	service.exe
2304	service.exe
2504	service.exe
1500	service.exe
2980	service.exe
640	service.exe
1932	service.exe
1792	service.exe
1600	service.exe
2308	service.exe
2924	service.exe
2528	service.exe
696	service.exe
3060	service.exe
2500	service.exe
2452	service.exe
856	service.exe
1960	service.exe
2396	service.exe
2912	service.exe
1296	service.exe
1060	service.exe
1248	service.exe
3008	service.exe
848	service.exe
2128	service.exe
1940	service.exe
2272	service.exe
1976	service.exe
1976	service.exe
1976	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2416	2116	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe	30
PID 2116 wrote to memory of 2416	2116	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe	30
PID 2116 wrote to memory of 2416	2116	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe	30
PID 2116 wrote to memory of 2416	2116	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe	30
PID 2416 wrote to memory of 1888	2416	cmd.exe	32
PID 2416 wrote to memory of 1888	2416	cmd.exe	32
PID 2416 wrote to memory of 1888	2416	cmd.exe	32
PID 2416 wrote to memory of 1888	2416	cmd.exe	32
PID 2116 wrote to memory of 2824	2116	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe	33
PID 2116 wrote to memory of 2824	2116	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe	33
PID 2116 wrote to memory of 2824	2116	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe	33
PID 2116 wrote to memory of 2824	2116	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe	33
PID 2824 wrote to memory of 2944	2824	service.exe	34
PID 2824 wrote to memory of 2944	2824	service.exe	34
PID 2824 wrote to memory of 2944	2824	service.exe	34
PID 2824 wrote to memory of 2944	2824	service.exe	34
PID 2944 wrote to memory of 2304	2944	cmd.exe	36
PID 2944 wrote to memory of 2304	2944	cmd.exe	36
PID 2944 wrote to memory of 2304	2944	cmd.exe	36
PID 2944 wrote to memory of 2304	2944	cmd.exe	36
PID 2824 wrote to memory of 2852	2824	service.exe	37
PID 2824 wrote to memory of 2852	2824	service.exe	37
PID 2824 wrote to memory of 2852	2824	service.exe	37
PID 2824 wrote to memory of 2852	2824	service.exe	37
PID 2852 wrote to memory of 2560	2852	service.exe	38
PID 2852 wrote to memory of 2560	2852	service.exe	38
PID 2852 wrote to memory of 2560	2852	service.exe	38
PID 2852 wrote to memory of 2560	2852	service.exe	38
PID 2560 wrote to memory of 2532	2560	cmd.exe	40
PID 2560 wrote to memory of 2532	2560	cmd.exe	40
PID 2560 wrote to memory of 2532	2560	cmd.exe	40
PID 2560 wrote to memory of 2532	2560	cmd.exe	40
PID 2852 wrote to memory of 2584	2852	service.exe	41
PID 2852 wrote to memory of 2584	2852	service.exe	41
PID 2852 wrote to memory of 2584	2852	service.exe	41
PID 2852 wrote to memory of 2584	2852	service.exe	41
PID 2584 wrote to memory of 340	2584	service.exe	42
PID 2584 wrote to memory of 340	2584	service.exe	42
PID 2584 wrote to memory of 340	2584	service.exe	42
PID 2584 wrote to memory of 340	2584	service.exe	42
PID 340 wrote to memory of 2740	340	cmd.exe	44
PID 340 wrote to memory of 2740	340	cmd.exe	44
PID 340 wrote to memory of 2740	340	cmd.exe	44
PID 340 wrote to memory of 2740	340	cmd.exe	44
PID 2584 wrote to memory of 1700	2584	service.exe	45
PID 2584 wrote to memory of 1700	2584	service.exe	45
PID 2584 wrote to memory of 1700	2584	service.exe	45
PID 2584 wrote to memory of 1700	2584	service.exe	45
PID 1700 wrote to memory of 1196	1700	service.exe	46
PID 1700 wrote to memory of 1196	1700	service.exe	46
PID 1700 wrote to memory of 1196	1700	service.exe	46
PID 1700 wrote to memory of 1196	1700	service.exe	46
PID 1196 wrote to memory of 3060	1196	cmd.exe	48
PID 1196 wrote to memory of 3060	1196	cmd.exe	48
PID 1196 wrote to memory of 3060	1196	cmd.exe	48
PID 1196 wrote to memory of 3060	1196	cmd.exe	48
PID 1700 wrote to memory of 3048	1700	service.exe	49
PID 1700 wrote to memory of 3048	1700	service.exe	49
PID 1700 wrote to memory of 3048	1700	service.exe	49
PID 1700 wrote to memory of 3048	1700	service.exe	49
PID 3048 wrote to memory of 1688	3048	service.exe	50
PID 3048 wrote to memory of 1688	3048	service.exe	50
PID 3048 wrote to memory of 1688	3048	service.exe	50
PID 3048 wrote to memory of 1688	3048	service.exe	50

C:\Users\Admin\AppData\Local\Temp\f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe
"C:\Users\Admin\AppData\Local\Temp\f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempJSOBN.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUMCQMJYOBOQLEH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1888
- C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe
  "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempVIOTE.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNFWOKFVPAPPQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:2304
- - C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe
    "C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempCFGQM.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSWKANJHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe
      "C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJXESR.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:340
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMLPDGCAQWPFFHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RRBNMNJHOJNUDOT\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:2740
    - - C:\Users\Admin\AppData\Local\Temp\RRBNMNJHOJNUDOT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RRBNMNJHOJNUDOT\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1700
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOKXXJ.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUILHFWUKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3060
      - C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
        7⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDDFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHSPNR.bat" "
        8⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BQYQDEAAVQELFKY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESXQGQKILXBYGU\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\IESXQGQKILXBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESXQGQKILXBYGU\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMPQVC.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTRBWICWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUSBCV.bat" "
        10⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DSTQLRWHFJEMBYC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIIRMV.bat" "
        11⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYXFGRYOMQLTHIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVQQFO.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INJKVSQUPXLMELM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPXODM.bat" "
        13⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LIITQOSNVJKDKKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:356
        
        C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempULJNI.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAVRMVHWBGVWTDO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIJRNV.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FJXGGSYOMQLTIJB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEAVPDK\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEAVPDK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEAVPDK\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIFOAG.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LGPYWHDOHIYRUVH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNGFMVLRIQFPFB\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\UXNGFMVLRIQFPFB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UXNGFMVLRIQFPFB\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWFFOK.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WXUDDOVLJNIQEGY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVBTXS.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VJKGEGWJRALQANY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMIQHF.bat" "
        19⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MTXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFEUVSBB\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFEUVSBB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFEUVSBB\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKUPDA.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWAOERNLQCQSNGJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRIQFPFB\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRIQFPFB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRIQFPFB\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSDWWL.bat" "
        21⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
        22⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQRNLNDQYHSXH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDESAO.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WAXLXIHLYCMSKBB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYGPGD.bat" "
        24⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WIFJEMBYCUSBCVK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVRQFO.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INKKVSQUPXLMFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQBVUJ.bat" "
        26⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MROCOWCUYTPRDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XLMIGIYLTCNSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUPYPE.bat" "
        28⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMIJURPTOWKLELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAJXFT.bat" "
        29⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QNMQDHDBRXPGFID" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJJSNW.bat" "
        30⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYGHSYPNRMUIJC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKOPYU.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GFSIWSPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHEMFK.bat" "
        32⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XENXVFBMGHXQTUG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVLXIH.bat" "
        33⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGUBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMHQXIEPIJSVWIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYKAKDXCEVRR\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\BTLRYKAKDXCEVRR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BTLRYKAKDXCEVRR\service.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
        35⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEQWMKOJRGH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe" /f
        36⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLWUSX.bat" "
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMRMTIJBIJRNWNC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEWNKEYOPMVHNS\service.exe" /f
        37⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\EMEWNKEYOPMVHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMEWNKEYOPMVHNS\service.exe"
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFOKYX.bat" "
        37⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SQUIMHFWUKKMHAD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe" /f
        38⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        39⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        40⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe:*:Enabled:Windows Messanger" /f
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe:*:Enabled:Windows Messanger" /f
        40⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        39⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        40⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        39⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        40⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAJXFT.bat

Filesize
163B

MD5
3335a1da3e3505e150ac488edfa92706

SHA1
4c129bff49464685792468bc1a3d98bd4a260da6

SHA256
b72b33eb4c66a4578cb3bf2f282fb4f84494801c2ccf67e67c606865503e3045

SHA512
5d1542b5f121f43ffd1bfd9ef6fa926312d7d0684538d2fc84283419df79c44d58d30b784254729e99dfacdc57c82b037e02271c1851c441b53b269411100d44

Download Submit
C:\Users\Admin\AppData\Local\TempCFGQM.bat

Filesize
163B

MD5
f93e33b71234fa46aea76abb934de754

SHA1
5979972a4cfbe27f657d7e7bc66d401f1d299d86

SHA256
35570e84142acd63a632c0099fab519587f130e429192dc9b879d05a7532a6af

SHA512
5eccbb39a725717f4371feef4f036971cca5e00916c4b192bed41313c7c1e7d528b79d09c810a034f4b7c7151d1237e91a5de67fda387e5d2eb75c33df4f3900

Download Submit
C:\Users\Admin\AppData\Local\TempDESAO.bat

Filesize
163B

MD5
5b8a64d8a40c0ee634f051917d11e111

SHA1
e803fb652a18a07cea05c4174de8361269e8193e

SHA256
0f7ddfe9ea42dc3c0b9769896b24b77eb92e5aa47ea797462d56e89242db8c22

SHA512
183d901404e67e2b839a50daa7de077716297d5c818407897c297dba7133d2c9ad15f74b75592140233a7e4ea2dd44fe6a69727ac02680ce585feb55503c3eae

Download Submit
C:\Users\Admin\AppData\Local\TempFOKYX.bat

Filesize
163B

MD5
d88357443dc6d6c77123dc558a58be18

SHA1
1c22e1b01b45d11ad9575918c07e2b63cd2caa9a

SHA256
2002df00eeb9ce5849e4d62934bb3bd7e7f11e89c7bd85db7c1610aa71827fce

SHA512
c5ca43bb6d3226846fd2b0ff831ac40fca53b33a63ad1cbc2cee86d6d85ede4611aed80a7139057a3c80025aa2b980daa45e3ed49cdffd1728ba9f3f2873b128

Download Submit
C:\Users\Admin\AppData\Local\TempGPBHM.bat

Filesize
163B

MD5
42d069ae459273b0a7ad18a831237702

SHA1
4ac36f878a22a4f32a153863e791d23da67ef06e

SHA256
36deba68c43c38607fde36f0f8a8df91154377fce462c42e90ef01b53f87a8ac

SHA512
182174d3a9a7a7985612ae379c7ea082b48bbfac6af0bb54ae3dd4b93daba4d8090d9f629a356215204093a62c4eb025711e0b039af56a5e77abb17d0e918eee

Download Submit
C:\Users\Admin\AppData\Local\TempGUCQP.bat

Filesize
163B

MD5
9d8c823aa9d6fc3f009d667a0b5c2aeb

SHA1
9cc26bc83d1c543b737c4880b73e40a6ed254bce

SHA256
980325fa121f72202cbd9a4e320dd85478d002b45842c3b39d504bf7b72d9ca4

SHA512
66b0ec285297046e694cc6889ad4402bbe9d18677b40a25dcec92f363dc1f6ad46bd49033204d1a182f69d2cc8d12120e7bcc02c1c394da8a56a932082b54c42

Download Submit
C:\Users\Admin\AppData\Local\TempHEMFK.bat

Filesize
163B

MD5
836521d4ad4f8736763662151254504d

SHA1
44b632ba33ea8a6b8421f6304cd3f9d002860142

SHA256
f8c773f1a932159c7c3c8e2addde51337da886bea049eafc11bb23c8748a3d69

SHA512
e3442a14023529e367e25d95510a6768639f68806f59fd4090fcbebc02eec526ea8f95be4f71f7f3b7ff128106d014cc3c774ffa8a394773274ea182552606ab

Download Submit
C:\Users\Admin\AppData\Local\TempHSPNR.bat

Filesize
163B

MD5
7d0f1f1fb7de2ae6af580a7edcd018e9

SHA1
716bf74156d54a69d125287bd8d7c4b183075cbe

SHA256
07ddec95dc34e18981e8ae8fae8bf0c3649d07f4a3f32023671e88fb60268b7c

SHA512
daf830c952085755b87d5a851576cbdb7f415c00211586733d2f24b0b328b755353ca6edf4a52958b9bece2d3a13846f231b84c9b93d4293c53ee227c9ae95a1

Download Submit
C:\Users\Admin\AppData\Local\TempIFOAG.bat

Filesize
163B

MD5
019c54e2e5bafd204722c542e67e41da

SHA1
8b3c2a9e6393eedba7a6563ab9d054512a245844

SHA256
a1ab22cbbc4ec1c0337c6368685a964b56a38f51aa3e8f6b8996a7ae5ccf455f

SHA512
bb07ec3e429f2e60a897567878deca657f9c78391cf67227bbad32b25d0efae9ca972b05b7a377968cdc5988e4db06e4c1bdcb4237665bf17ba022b03d428bda

Download Submit
C:\Users\Admin\AppData\Local\TempIIRMV.bat

Filesize
163B

MD5
d5525a81ac4f1525e5b9ee36b5f44da8

SHA1
d32eecbdcd4043009390008d519b307ee2f6594d

SHA256
d0f12393425d6303823fba88f9408f05de9fa1a28415a55159ef72b6a82df23c

SHA512
9f2d7918bf227d78dd55bbf2f063943c56aa500ba03e70688a19bebda454308dae2daf4ecbb77d34def69df956e013fce151abd4cdcf856985bc8ac524aa2e94

Download Submit
C:\Users\Admin\AppData\Local\TempIJRNV.bat

Filesize
163B

MD5
cc96f8097db5d6de467ff5c3bf6ee0f6

SHA1
ed8c320c28291f9653aa8ce27120d03d51108a52

SHA256
9abea05793954156ce1708bb67d41f4122010e1af30dc3674eb97b633f9ecffe

SHA512
d1820f71102a88453b1edd2f7b849b7fdb56b95e7cff5f4992564da6db17a4c3e81787aea2de08bebfb3f39f0374daa162931ab6cc572e25b3989004c26517fc

Download Submit
C:\Users\Admin\AppData\Local\TempJJSNW.bat

Filesize
163B

MD5
3dadb63392d1f18ebadd1e294f8de5f6

SHA1
48bfc6c5180a64be7e8346b81353a816929a59f0

SHA256
a9a1b62213c6522d01b6137c45f5e82fcf39c6e803869e1855da3a4225fd7428

SHA512
0e4a4a1c71ea1c82a13a455d3256910003703d659241ace0399f2ef8c403bf3609f553e46a028ff44d9e5a4de190d25a1cfecb92ed07c86636ede15d35cfc3a9

Download Submit
C:\Users\Admin\AppData\Local\TempJSOBN.bat

Filesize
163B

MD5
d443d477fba7c6fa6487ed970e616de2

SHA1
b2b0bb37b086b28823de69605013cabbd630dbb2

SHA256
d659a89fe5b1d4b724de9923a9839960c675e8300739ea3642c326f2fd95e89e

SHA512
259a96c3afd7c97362e711d401a9830490efb90d9699a00e95e8d68d9913b2e40be15e0b455d297925c1c817f96574446d85199bfed9e14dfca2c6e3eb56f465

Download Submit
C:\Users\Admin\AppData\Local\TempJXESR.bat

Filesize
163B

MD5
7a834aeb7d645d8e56e2ad753fc3baea

SHA1
e508d11620d9f4e787bdcebef7701093195002b5

SHA256
30dba56b4d6e6aac95a59f5e731290c563ce2f826784b6a77081809151dda0bd

SHA512
72fda821202a8dc90c1afbaaf6cc3d75677bbb06b9b9f1e0e4ad3ba0be96c43862f2d217762d97a5be40e9a0da80881a666c54f762b88b739540b1269cff57ff

Download Submit
C:\Users\Admin\AppData\Local\TempKOPYU.bat

Filesize
163B

MD5
73935805d2514ccac27ca8f52f65e1a2

SHA1
dd39b8a0373a5215b20dbc9adf70007724d688c7

SHA256
a4a1b39fd5ae5fef45af8b016a6e500315db4a885b197e36cd60d8d548804d05

SHA512
29eaf13166c63b849788b55c49ba9e65fff44ed89f5e4f95a7bc98804548a7f320df1493392cd5c11694dc9af33cc83f62867fef934a90ccf3e0136dff92078f

Download Submit
C:\Users\Admin\AppData\Local\TempKUPDA.bat

Filesize
163B

MD5
0e6ab59af60fc5029492a5be43227127

SHA1
f1d1786386fcc6d55c958c21fbef8c05a505c5c6

SHA256
299f9742f057f90a3e0ed769c7ca13564c9c8aa400ef80afd0b3ed14f7f92183

SHA512
c90fba7e3825332975fe3a397acd7fa4efdb7f456501d6d35e8c3676ecc9ba89fef7eef04ad3d43db5284218bdea3405c3d2b26ba1796ecbe1a0e53f21e313dc

Download Submit
C:\Users\Admin\AppData\Local\TempLWUSX.bat

Filesize
163B

MD5
30a7647b852f61d3298a9d718fc730ab

SHA1
6942410bd1a6c57db99bc5453dcf24c5abc583b8

SHA256
95ff6649eb0e960cec69f17b4e878c29fe19416fcd4295ec9bd38903a6a1d671

SHA512
023ff7949127280fa02b34303bfafacf3f6454c4c2e0a832806bc2372f15b6d801c242e5543b0bffa15cb754a7143386d066f96589630646a134448c943d4431

Download Submit
C:\Users\Admin\AppData\Local\TempMIQHF.bat

Filesize
163B

MD5
ddac971a04e378bbf2fd94c2cfbf0a12

SHA1
b0997067e289db5fd785df179e7defba37f15601

SHA256
6c5a3a5caf34735397e2822195e083946304651ffbc6d13dbf20d8c4fe48c65f

SHA512
41edea125d01c05b4baf01087ec8f77541c4eed84e06f8409a5afb242a5be4b457e19ea3ad67493504edd06228397959ff0c41c12a0253385a23df867e1191a9

Download Submit
C:\Users\Admin\AppData\Local\TempMPQVC.bat

Filesize
163B

MD5
01005956b2e2f9618ee5d54677a17f9e

SHA1
d06659adf8a2855ee3ad04156b940a9563c9dc64

SHA256
ee05376f2a67ea7274259ca95873248ea3ee11b830ec3c4337651ad369e0a20a

SHA512
56de6a0800e4b55ff3bc177e923cc78f83c3254a186d5b876c4085c203f4d4b40785e8609e44074873823e1fa2b6970c8c30d677f1701b53c77efd33daa125ba

Download Submit
C:\Users\Admin\AppData\Local\TempOKXXJ.bat

Filesize
163B

MD5
bbcba080f74aa2b1f066df621ba2c56e

SHA1
7f4d7e934406ff949e209ef6df6e1c79ef62b360

SHA256
dd38ce5046cdc489852a85feae011b6b3c2c33a6ac39496248e7a6c377b63d2e

SHA512
40d2e31125ba8aa042ebbefa850c34fc3f78023a0772677acabadc82867c2aec1c32703f2d806b680dc4f09c04ffe8983af86b2dbcb4972a9f7eb89832a74cd1

Download Submit
C:\Users\Admin\AppData\Local\TempPXODM.bat

Filesize
163B

MD5
473dc30ed03f9d3c35194a3ec215d3d3

SHA1
66c1d2e60445720577b60f40c1c85cfcb79e5852

SHA256
5584ab2bd7a45c9a98c32c9d7b295d49a5f38ab4915509858e8d385bdf0ab030

SHA512
473732fd7d5893e6d619b64e41f3f203758b4f6f1355e2488ab0517546dc1acaa08ed3d0cda540bd53312ec3c0052c0bbc6dc7696ac5b951e08a0afe8345df01

Download Submit
C:\Users\Admin\AppData\Local\TempQBVUJ.bat

Filesize
163B

MD5
e15ce9ba45689d817fb96275879803e8

SHA1
74cc2996ac7dde0c1811f7c74f3798e12f7b2a16

SHA256
5b6e60df17f289c0c2bb7577a797be852c776fe2d20b5e02f433e99b0ce3c533

SHA512
ba2e73459c52c4c584ae95d07cd6e1c607fb850554490fa41cf1fc94533ea570c3b661cb1a74637d491971d8d20b3e34cd83e5965e5fa8e0a5784e878fae89ba

Download Submit
C:\Users\Admin\AppData\Local\TempSDWWL.bat

Filesize
163B

MD5
f12eabc05ad07e28998bba3d0c4b7517

SHA1
21aa28ea0e9786833d2cea38e7f8176560945456

SHA256
d6ed466f36738b8d14060e25c85244877190aeda44d43d0bd7b71203a44163eb

SHA512
e25d3d9b2ace750368e8a212701ef5415922669b72231abd716faec01db65ba14ae93cc3e5d8d9c4fd65e9edc69e0c6650268b6ef2cd9d1d0445a58b23f1561f

Download Submit
C:\Users\Admin\AppData\Local\TempUFEIV.bat

Filesize
163B

MD5
80fcdb7f0d083ecadec5420f5524c4df

SHA1
04f86b3afa07b6fbe7e2591bdb3799cc2e78750b

SHA256
743bbb4430056d2e432396ef2bdf38480b70afcd1ecbb099e087614bf01377fa

SHA512
7bb9b15afb6a60fe1a635d4eaa43e4dfbadf5580c2f4cc41f38cfed8b1c850a5a0391b647eefc3c4cb6b0936fc79f279e799d04df5b99c1acd32c97dbf80da04

Download Submit
C:\Users\Admin\AppData\Local\TempULJNI.bat

Filesize
163B

MD5
8ca42b41c8e2de27d308a6cc0759a024

SHA1
0ca13c792b5c2e0f0b28c31ba19f56810f8e0dad

SHA256
d6e22066c8860f60d38f58320258e5073e2695dfeaea7bc1a1111e2fb11ccb02

SHA512
bb288998fdd86c53ea2f2e45fcda1a01727eb7698a6f1dae71310c8c2fd695b0a1bb7cb5d74aa9eac3ec61711278a9728c7bd677c736a103e0ed90b4dfb8bc0a

Download Submit
C:\Users\Admin\AppData\Local\TempUPYPE.bat

Filesize
163B

MD5
abc643b0e8eeb7605f8e2cc38f040705

SHA1
cbd9c2cfd3024d23a49fb163833402c984be3b83

SHA256
c0627fd5a2860cce90b14cac3f9f2993a120414767c4e3a29ec6003bb008a1ff

SHA512
490d75709db51fa09dafab2da82420f3f03caa78671f289a6f2ab73a7e787455f77071066f35402c01386f620c4313d509436179971b05b597432c9ace4be3af

Download Submit
C:\Users\Admin\AppData\Local\TempUSBCV.bat

Filesize
163B

MD5
a306a20ffebfad9d9a4a69085fa2e10a

SHA1
16302ba8988a788399b8c7dd3c7372afb0b48537

SHA256
098e36de461a39e2809ea5c081101e873f057edb45a9328a3fdf9ce5d870decd

SHA512
7a5020b78928e439a9638818ad4e4de88302449e3b4b6d973207f45bcf44b4b1c534b295c36bf2bcb5751f62a1a571da1367e6f858ae1f57b88a6d481fa4f134

Download Submit
C:\Users\Admin\AppData\Local\TempVBTXS.bat

Filesize
163B

MD5
f286a997dafd3f45392758cd25adb9c7

SHA1
dd9863ba8a55910f95341ac38268e7bbd6c27330

SHA256
5e6541f54dfab8ef75e8af742526b73008d832be582cac12e866c730228ecfc1

SHA512
68071827c9ea291a46a5931c8a87d56a0e1122b46b420173919c818bd47ce3caa4a273b161301890cc48fba61b5867a8461cffe2ad7edd796a808d8238e3355d

Download Submit
C:\Users\Admin\AppData\Local\TempVIOTE.bat

Filesize
163B

MD5
af66810b65f32842b09a56ea7308a2df

SHA1
c438d8a35b15310226958e86347ae4c1f9a36f7c

SHA256
d6bdaf56dc48c6e8c3bd5e73b6479aa9b2695e89b0077e4fd8185ed9ff541b6a

SHA512
93e1f076a41ff245d418acfb779c8779561c9b06e5d4391f87ef7a94b46368295a630a0196c069eb5371e59361afe242e925394d4899de721d504b6aced0fd65

Download Submit
C:\Users\Admin\AppData\Local\TempVLXIH.bat

Filesize
163B

MD5
38582d0b8684e515acc8a0b855142358

SHA1
091d9a23d9ea9a7fa0a7583fc3233521f038d3f8

SHA256
86ace41294290c8dd92509de6b1a6245e1ac20c41f4f1d7501be7ee721223776

SHA512
b5b207d182e0c3b8ceb79160238c24e6af6c482485d77c2b2b4bf0130611db60c503c2b1f6bcf4220328862c7ff650a3ac4f508dede00b8e50e3dcd92241a633

Download Submit
C:\Users\Admin\AppData\Local\TempVQQFO.bat

Filesize
163B

MD5
0d7ee6c9335600ff283e6c3556a9761d

SHA1
0aca254bf63f47db664827f53deee2b2cc6ee010

SHA256
0036d95d3c4b94f1b46d35e6eaca10da20170c21a525b7c84dd1c2fe0b0d9cba

SHA512
6688d8cfa9a29597c2e0a34bc43053fee01e1cb28c96c1d6cb49f67e6735cf85dd7afc534849a3822f828e5ed3455180100ba08a12f0841efca1fd0c2f6c53dd

Download Submit
C:\Users\Admin\AppData\Local\TempVRQFO.bat

Filesize
163B

MD5
376a41f89bf726d8018efa7f032544a2

SHA1
d85b188694bc0c2c550f9899d899f45ff74e0f8f

SHA256
316f6605f3b01c2ef8642d1fcad84fc2f7e3a6f7f5727d2cfccedd7e66807f33

SHA512
6f34ecccb7dc6ca1c424fcab8c2e0916b240429f8a5b73e88c08da6e1e9b94ab2f227b960f59a92f92de3d6b48948a2ca656b13a301b51341523dfdddafcccb0

Download Submit
C:\Users\Admin\AppData\Local\TempWFFOK.bat

Filesize
163B

MD5
136995d08bf8029fc152609efd5f78ae

SHA1
feba98078b608e7ff79f620f89318e514567dfc6

SHA256
76f998ad80d22315dd921335516d42f5f7a9c66ecfed0303519e1d4e362d10a4

SHA512
f0e2c72f7196b84d31055efda93bf74c22847a8573361da37a2378d4924615f3bb6478b29c8d8ac9a5dad2a24152fb70a30444bba9770122b68c976ac96ec66a

Download Submit
C:\Users\Admin\AppData\Local\TempXDVUQ.bat

Filesize
163B

MD5
05608828504e3676cef951b8df0129e0

SHA1
c21932475e83ba219e6025657a54214fc43fcf32

SHA256
be65e5129ad5455e50dac2a352062c7f82c1c8dd519afc01e682ce7d87dd15e9

SHA512
3322f59fa383e0e3086ff2598b50348b6865702f71a63b47a900c3654c29b1a26f9775fe1b2dad31352125f9870e47b042b1b008a20773d8b3ebd21ea3ce2372

Download Submit
C:\Users\Admin\AppData\Local\TempXGGPL.bat

Filesize
163B

MD5
4da214ab6c0ff1e035f3cb3b2976f865

SHA1
42394df7370e2a40c797beae1b094732a27b70d7

SHA256
ddc3324cb11bc4bd07d713f33a6531cea7750d31bc5ab71f12b55ed0988eed86

SHA512
7aba0cb4f74e0dc3fb2c6c8e77a507aa2458083f7e74a1e5363fd5569337a2631122a7ffafa6530592afcea6334243a44f5c98acf680c61d3f365ce83c66a9ba

Download Submit
C:\Users\Admin\AppData\Local\TempYGPGD.bat

Filesize
163B

MD5
1f8f579ab62cfe581c4c6de860067269

SHA1
6f7cebb86c094487b897e28f8bdc260ff16775b6

SHA256
206b0a8b5576f2f0dff9c0c148dedaec8c2e8b12e29a91b89e3af94010328d84

SHA512
c3fdc977c60ffa648d4e3e9d79773512721dad09ca6502c700cd4bf0f8f8fd08f6f559221b108263af8163df501cf439d73cb2c4d64937501551171dcc3c01f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe

Filesize
520KB

MD5
bc8101cb28a9297076e135e6845206a1

SHA1
737be8a5e3485f8f5c196253b8b3272802e1b7c2

SHA256
dbc0b03a6895ac1f353189f6ba9c157585413a591e62dcb998e8845aafc43dfc

SHA512
960a02be24f7c0dea00d38c60b0b151537dd807716beffb4580deb565913836b127590081b1b76659cdcbfb148234da91971f505bd13c3be6f56f0280a72f7df

Download Submit
C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe

Filesize
520KB

MD5
3cf37a682da8554ff584b32e9d831a24

SHA1
c7a45e3efde55bf100f72eb44aafac22e8d26c62

SHA256
e2553e933afaa9d68cedbfbcf59fe16c7db703e4e80240064d9c2fd1f3a7740c

SHA512
0b170f2e8a4b9517dd02b847547b066cb3e89ab4f96053a860893e20e8b7125d808960c5f8fd6452d172e5bdb869a5e9d24fcf07597ef5e64f842dd3974d6583

Download Submit
\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe

Filesize
520KB

MD5
a563d16a8749273b5349b15163ad5226

SHA1
8863d96f43443b341e83f1c82c1b03286f5e8019

SHA256
3e83f49453f3da4349b43a670a2edf49cd602bcf7b203d7544da3ffb11d54f7b

SHA512
030700aa38fd83e0fef8f95d5edb20dfb65349499c731aeb01affdfddc7eaff250ffb61e9e58f9248e5e87098ff47c2e34b01eef212469ca1238b82585c44fa7

Download Submit
\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe

Filesize
520KB

MD5
1d52c89b7b8a3dfaff8daa4b0909cc90

SHA1
8cb4bd9a7199b46541b7fbf9ca04292f517cb8c9

SHA256
a17f74411ec466acfacd7b6197385e5a4a447c70f85a1f346afa70eb2d351231

SHA512
db86ad43e81307ad4e77978a5d267a68c2a888ced1ec293fff9f612fdc7b5a53066f074988af861d1730e78cf4706d35f95631624d161a5ec91110058e7cff84

Download Submit
\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe

Filesize
520KB

MD5
a9c82ffe10d9dc26d5b0ddf719148d9c

SHA1
f2e2c0fcb270f82cceee406023d172e422493cbb

SHA256
50f697e37eeb3596b61bbefdd4685cff428ff9fef3a70adcda6ec316191055f8

SHA512
c2bc05c50591dff6e35a5facff77f3dd313cc84db625e7253c52cd7f3123e33bcef26285a623bafe7b959ce7fb36e7843f7739fd959b191e92dee3447bdfe55c

Download Submit
\Users\Admin\AppData\Local\Temp\IESXQGQKILXBYGU\service.exe

Filesize
520KB

MD5
2f13525e9ed4625372ec4b7f85f54bdd

SHA1
b9cdeff61bed26e602195a0259975458c158dee8

SHA256
42dba41a71ec08fb78ab16ae4f9e4408d01748aedd3bc2876deb883dd1e7c98a

SHA512
ded9156fb9abd6b4ea667e55187c58529d383b5484f6c315ca2af947646548440c373bbcbbba39810e1eafbcbbe7a891cb41aaf77ca52fbdf6aa0f92600e83f2

Download Submit
\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe

Filesize
520KB

MD5
aa70c73210d76f6443980e75acd47297

SHA1
aedae41385facc4e0254a04663c31916cd879e11

SHA256
c3e09ca6d7718f9b6cd7550ce8e695a6942bb5a25f52b5b7501e61890143f141

SHA512
99bd43e938bd4db8312e2058d2e4fd2d7787e82b206cc447b5ee0c5a3ba47a261aa692746d600345a4e58f8a89d51eff1de7be93f81748dbe23e1161539a0a44

Download Submit
\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe

Filesize
520KB

MD5
ef4e8d28212aec3e2de86c9dc1c4548e

SHA1
de9e8bfbabf85b2fdb65c9217a3ea50635d00756

SHA256
18de78c7b522d7adaf6a468083077a987dbb1034c5b4bf7c85166919a1045c8f

SHA512
6668888d7b598de9a19e0a287184decb6719dc9449963fb303bf6c5c27056ffc2e224a0ef01fa04478ecfb474f94a343297fe24e477691e6a5159f18da3bfdd7

Download Submit
\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe

Filesize
520KB

MD5
3d2b7f9494b7184d58720f26969b6aa4

SHA1
138d8abe6f3448e809b627086171fddcd3181b3e

SHA256
2bc6ba7dc8ad34daed6acc8ff997fa54679e23d38db77d6f5ae2461503620ed6

SHA512
d243431c84c90946b3cbeb796ba3cfead791de525786d6c0ab30e121b07aa7f92d6e9387aa2a94a5ad60a798f1aeb9b904ecc78f7a9c1692d4f9b222fa2a306d

Download Submit
\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe

Filesize
520KB

MD5
c4568054c4ef0a8fd34c73a59b72e5e3

SHA1
60698ee12c4c07cd366c197dfc2f0fb2a07f7747

SHA256
3c2b79b185d3d8ec3157d76c964c4520c17ba091c3615da11649b9c04d894544

SHA512
d5252bf5aa453657bdd961c2c37b84bc88cf9986326c27cb878365f3cbd5237f3e742b380b1381689f88b4e20b5f063e922364c1f722e716bef5fcda007bc196

Download Submit
\Users\Admin\AppData\Local\Temp\RRBNMNJHOJNUDOT\service.exe

Filesize
520KB

MD5
31855a79bb93c3c331cc5804588380e7

SHA1
eacf21731617d0ee4f943a91e05b875ff17c4277

SHA256
0dde051c6eadbb9ac5b46b6e086bd79424fda67f3c560bd726c6bb22e3ebd743

SHA512
6edf76a00b941d110dc7092f7ce5372fa5c6aa0d67e414b6252d7b10d02bf0f7628f2ba213eea9d9f946dae72e60607e7c9754d0edc462fc88227cd2113efbe4

Download Submit
\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe

Filesize
520KB

MD5
bdc1b6eee1f34a13a763dc0a562d2160

SHA1
049018bcf73818f4738eb3124a271df2a396949f

SHA256
b0b35947c94c034218de66dc37627206a4ee37e610e003f7763e0a461a57a8c0

SHA512
8e75b2cb11992db5fb17282fa4d1176341f2ad22bd604c6b868125a1d51347053e144de7a214c882cb86604b15c7612a6a7caaeb4666553fa42ef55485ff930c

Download Submit
\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe

Filesize
520KB

MD5
54f4c6ff0c2598b290e64406573b0bba

SHA1
b96f13df888c9ef770f9b236ed95f79e69ca2981

SHA256
4747470c2521c8ec4857d1b7f4c8513fffe014da4745c9092bf648adb29781a2

SHA512
f4ffa3e3a5065230077070b5cadd07e89a5773b55c8de7599a6f2891883709bae1c499826edaabbea562f54ba3f5bb02484621312109b22f07363b41b5851c81

Download Submit
memory/1976-930-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1976-935-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1976-938-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1976-939-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1976-940-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1976-942-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1976-943-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1976-944-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1976-945-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads