blackshades | 1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f

Analysis

max time kernel
128s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe
Size

520KB
MD5

9253bfbcd2397ce613b1ab1b59f4d581
SHA1

99165784f0e95d1c58722948a62160e84b15b2b2
SHA256

1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f
SHA512

4ddd56a125c5bdbbfc895df5c3b4f2906291aa6815c78e85d739c9e198612ebc9401f0a3f2a40c327fdbe24d61da65d57f9cec735c613bd42637051ae2ea3018
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioX7:zW6ncoyqOp6IsTl/mX7

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 9 IoCs

resource	yara_rule
behavioral2/memory/1252-882-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1252-883-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1252-888-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1252-891-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1252-892-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1252-893-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1252-894-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1252-896-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1252-897-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe

Checks computer location settings 2 TTPs 34 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 35 IoCs

pid	Process
3648	service.exe
3172	service.exe
3796	service.exe
2616	service.exe
2584	service.exe
4492	service.exe
3384	service.exe
1332	service.exe
5108	service.exe
4080	service.exe
4864	service.exe
4888	service.exe
852	service.exe
2528	service.exe
5092	service.exe
2836	service.exe
4360	service.exe
820	service.exe
2976	service.exe
2036	service.exe
1988	service.exe
1540	service.exe
756	service.exe
2900	service.exe
4036	service.exe
4408	service.exe
3512	service.exe
4924	service.exe
4984	service.exe
1984	service.exe
2544	service.exe
3868	service.exe
3884	service.exe
4324	service.exe
1252	service.exe

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HGUBKYTRCWJCWYD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPUMUITJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ECGBJUWRPSHVDLC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAPQNVIOT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HLIIUQOSNVKLDKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXBEUQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FERHVRPUGTVAQJN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBBPUMUITJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QVRFSDCGYXTUHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASDPOPKJPLBOWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OFDOMKPCGCQWOEE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JLXXBYTRAYUKXAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AONHQXIEPIJSWXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMRYKAKEYCFVRS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FABWRELGLYHTQOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GTPSVUWIMRFCQQE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRWDDBJCGVVIKFD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IKWWAXSQXTIWENE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ULAVRMVGWBGVWTC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MHWUKUOMPAFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FEPMLPCGCAQWOFF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UBTEQPQMKRMCPXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WTCDOULJNIQEFYW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAAVARMHBGV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OBEPRMKNCQXGSWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIARJFAUYKLIQCJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MABVSMAWHXCHWXU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRQSEINAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFNFXOLFVPAQAPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IWDMVTEAYLEYFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOFXPLGAAPQNWIO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AWVMCQMKYPBOQLE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOEKBSJIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFNFWOKFVOAPPQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQGRKILXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIWVHPHQNHXRCSC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNNUJIJFDKFVIQK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BIMADOQLJLBPWFR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LODWUDWMCIQHGRO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EPNLQDHDARXPFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KMYYCUSBVLYBGPG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACFQSNLNDRYHTXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBULMJRDKO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WESRDLDUMIDTNOX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RJIQFEFBGBWREMG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SAONHQYIEPIJTWX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NFVEMAABWBSNAHC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UGEIDKWAXSRATJW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPGYQMHBBQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CXBPFTOMRERTOHK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYOIBGNWNSKSGQH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDGSTOMPESAIAUJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCTLHCWMNKTFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IKXAXFTSENEWOKF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHCXSGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SAONHRYIFPJKTWX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NFVEMBABWCSNAIC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WWIQHRNIYRCSCRS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHGIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDXUPCYJEJYWFRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQTSUGKPDAOXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RNBOWCUYTPQDJQQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEGBGBWRFMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DQGUQOTFSVQJMNW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYKLIQCJN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OKKWTQUPXMNAFMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIJCWBDTQQ\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4324 set thread context of 1252	4324	service.exe	240

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4536	reg.exe
3984	reg.exe
1660	reg.exe
1888	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1252	service.exe
Token: SeCreateTokenPrivilege	1252	service.exe
Token: SeAssignPrimaryTokenPrivilege	1252	service.exe
Token: SeLockMemoryPrivilege	1252	service.exe
Token: SeIncreaseQuotaPrivilege	1252	service.exe
Token: SeMachineAccountPrivilege	1252	service.exe
Token: SeTcbPrivilege	1252	service.exe
Token: SeSecurityPrivilege	1252	service.exe
Token: SeTakeOwnershipPrivilege	1252	service.exe
Token: SeLoadDriverPrivilege	1252	service.exe
Token: SeSystemProfilePrivilege	1252	service.exe
Token: SeSystemtimePrivilege	1252	service.exe
Token: SeProfSingleProcessPrivilege	1252	service.exe
Token: SeIncBasePriorityPrivilege	1252	service.exe
Token: SeCreatePagefilePrivilege	1252	service.exe
Token: SeCreatePermanentPrivilege	1252	service.exe
Token: SeBackupPrivilege	1252	service.exe
Token: SeRestorePrivilege	1252	service.exe
Token: SeShutdownPrivilege	1252	service.exe
Token: SeDebugPrivilege	1252	service.exe
Token: SeAuditPrivilege	1252	service.exe
Token: SeSystemEnvironmentPrivilege	1252	service.exe
Token: SeChangeNotifyPrivilege	1252	service.exe
Token: SeRemoteShutdownPrivilege	1252	service.exe
Token: SeUndockPrivilege	1252	service.exe
Token: SeSyncAgentPrivilege	1252	service.exe
Token: SeEnableDelegationPrivilege	1252	service.exe
Token: SeManageVolumePrivilege	1252	service.exe
Token: SeImpersonatePrivilege	1252	service.exe
Token: SeCreateGlobalPrivilege	1252	service.exe
Token: 31	1252	service.exe
Token: 32	1252	service.exe
Token: 33	1252	service.exe
Token: 34	1252	service.exe
Token: 35	1252	service.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
4116	1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe
3648	service.exe
3172	service.exe
3796	service.exe
2616	service.exe
2584	service.exe
4492	service.exe
3384	service.exe
1332	service.exe
5108	service.exe
4080	service.exe
4864	service.exe
4888	service.exe
852	service.exe
2528	service.exe
5092	service.exe
2836	service.exe
4360	service.exe
820	service.exe
2976	service.exe
2036	service.exe
1988	service.exe
1540	service.exe
756	service.exe
2900	service.exe
4036	service.exe
4408	service.exe
3512	service.exe
4924	service.exe
4984	service.exe
1984	service.exe
2544	service.exe
3868	service.exe
3884	service.exe
4324	service.exe
1252	service.exe
1252	service.exe
1252	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 4748	4116	1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe	88
PID 4116 wrote to memory of 4748	4116	1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe	88
PID 4116 wrote to memory of 4748	4116	1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe	88
PID 4748 wrote to memory of 4408	4748	cmd.exe	90
PID 4748 wrote to memory of 4408	4748	cmd.exe	90
PID 4748 wrote to memory of 4408	4748	cmd.exe	90
PID 4116 wrote to memory of 3648	4116	1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe	93
PID 4116 wrote to memory of 3648	4116	1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe	93
PID 4116 wrote to memory of 3648	4116	1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe	93
PID 3648 wrote to memory of 2588	3648	service.exe	94
PID 3648 wrote to memory of 2588	3648	service.exe	94
PID 3648 wrote to memory of 2588	3648	service.exe	94
PID 2588 wrote to memory of 5000	2588	cmd.exe	97
PID 2588 wrote to memory of 5000	2588	cmd.exe	97
PID 2588 wrote to memory of 5000	2588	cmd.exe	97
PID 3648 wrote to memory of 3172	3648	service.exe	99
PID 3648 wrote to memory of 3172	3648	service.exe	99
PID 3648 wrote to memory of 3172	3648	service.exe	99
PID 3172 wrote to memory of 3088	3172	service.exe	100
PID 3172 wrote to memory of 3088	3172	service.exe	100
PID 3172 wrote to memory of 3088	3172	service.exe	100
PID 3088 wrote to memory of 812	3088	cmd.exe	102
PID 3088 wrote to memory of 812	3088	cmd.exe	102
PID 3088 wrote to memory of 812	3088	cmd.exe	102
PID 3172 wrote to memory of 3796	3172	service.exe	103
PID 3172 wrote to memory of 3796	3172	service.exe	103
PID 3172 wrote to memory of 3796	3172	service.exe	103
PID 3796 wrote to memory of 4636	3796	service.exe	105
PID 3796 wrote to memory of 4636	3796	service.exe	105
PID 3796 wrote to memory of 4636	3796	service.exe	105
PID 4636 wrote to memory of 2320	4636	cmd.exe	107
PID 4636 wrote to memory of 2320	4636	cmd.exe	107
PID 4636 wrote to memory of 2320	4636	cmd.exe	107
PID 3796 wrote to memory of 2616	3796	service.exe	108
PID 3796 wrote to memory of 2616	3796	service.exe	108
PID 3796 wrote to memory of 2616	3796	service.exe	108
PID 2616 wrote to memory of 2628	2616	service.exe	109
PID 2616 wrote to memory of 2628	2616	service.exe	109
PID 2616 wrote to memory of 2628	2616	service.exe	109
PID 2628 wrote to memory of 4164	2628	cmd.exe	111
PID 2628 wrote to memory of 4164	2628	cmd.exe	111
PID 2628 wrote to memory of 4164	2628	cmd.exe	111
PID 2616 wrote to memory of 2584	2616	service.exe	114
PID 2616 wrote to memory of 2584	2616	service.exe	114
PID 2616 wrote to memory of 2584	2616	service.exe	114
PID 2584 wrote to memory of 4596	2584	service.exe	115
PID 2584 wrote to memory of 4596	2584	service.exe	115
PID 2584 wrote to memory of 4596	2584	service.exe	115
PID 4596 wrote to memory of 4024	4596	cmd.exe	117
PID 4596 wrote to memory of 4024	4596	cmd.exe	117
PID 4596 wrote to memory of 4024	4596	cmd.exe	117
PID 2584 wrote to memory of 4492	2584	service.exe	118
PID 2584 wrote to memory of 4492	2584	service.exe	118
PID 2584 wrote to memory of 4492	2584	service.exe	118
PID 4492 wrote to memory of 4888	4492	service.exe	119
PID 4492 wrote to memory of 4888	4492	service.exe	119
PID 4492 wrote to memory of 4888	4492	service.exe	119
PID 4888 wrote to memory of 4360	4888	cmd.exe	121
PID 4888 wrote to memory of 4360	4888	cmd.exe	121
PID 4888 wrote to memory of 4360	4888	cmd.exe	121
PID 4492 wrote to memory of 3384	4492	service.exe	122
PID 4492 wrote to memory of 3384	4492	service.exe	122
PID 4492 wrote to memory of 3384	4492	service.exe	122
PID 3384 wrote to memory of 4216	3384	service.exe	123

C:\Users\Admin\AppData\Local\Temp\1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe
"C:\Users\Admin\AppData\Local\Temp\1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRSYEF.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IWDMVTEAYLEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOFXPLGAAPQNWIO\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4408
- C:\Users\Admin\AppData\Local\Temp\FOFXPLGAAPQNWIO\service.exe
  "C:\Users\Admin\AppData\Local\Temp\FOFXPLGAAPQNWIO\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTMPRW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HGUBKYTRCWJCWYD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:5000
- - C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe
    "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYKQV.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3088
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WWIQHRNIYRCSCRS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:812
  - - C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe
      "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNOLUG.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4636
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WESRDLDUMIDTNOX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RJIQFEFBGBWREMG\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:2320
    - - C:\Users\Admin\AppData\Local\Temp\RJIQFEFBGBWREMG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RJIQFEFBGBWREMG\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIJSOB.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AWVMCQMKYPBOQLE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4164
      - C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXAMYJ.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ECGBJUWRPSHVDLC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTPXPD.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HLIIUQOSNVKLDKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOXTAB.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVRPUGTVAQJN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBBPUMUITJ\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\YQKDJQBBPUMUITJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQKDJQBBPUMUITJ\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFYYN.bat" "
        10⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVRFSDCGYXTUHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASDPOPKJPLBOWF\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\TASDPOPKJPLBOWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TASDPOPKJPLBOWF\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOLQLS.bat" "
        11⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDXUPCYJEJYWFRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFVJQK.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRWDDBJCGVVIKFD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTIWENE\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTIWENE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTIWENE\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBIWE.bat" "
        13⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OFDOMKPCGCQWOEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JLXXBYTRAYUKXAF\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\JLXXBYTRAYUKXAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JLXXBYTRAYUKXAF\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBUUJS.bat" "
        14⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNBOWCUYTPQDJQQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJKHPB.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SAONHQYIEPIJTWX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAHC\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAHC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAHC\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSAFCR.bat" "
        16⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DQGUQOTFSVQJMNW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKLIQCJN\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\AIRJFATYKLIQCJN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKLIQCJN\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempENEYC.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGEIDKWAXSRATJW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "
        18⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CXBPFTOMRERTOHK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYOIBGNWNSKSGQH\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\VYOIBGNWNSKSGQH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VYOIBGNWNSKSGQH\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHFJX.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGSTOMPESAIAUJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKTFLQ\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKTFLQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKTFLQ\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFFYOJ.bat" "
        20⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTCDOULJNIQEFYW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHOSE.bat" "
        21⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNFWOKFVOAPPQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTEDHY.bat" "
        22⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OBEPRMKNCQXGSWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVOPYO.bat" "
        23⤵
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IKXAXFTSENEWOKF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRSPYK.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIWVHPHQNHXRCSC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVRRGO.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKKWTQUPXMNAFMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTQQ\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTQQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTQQ\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDPVMJ.bat" "
        26⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABVSMAWHXCHWXU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVGSDC.bat" "
        27⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BIMADOQLJLBPWFR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOULJN.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ULAVRMVGWBGVWTC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJHPBH.bat" "
        29⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AONHQXIEPIJSWXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe" /f
        30⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNUJJK.bat" "
        30⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FABWRELGLYHTQOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe" /f
        31⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCAJXF.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPNLQDHDARXPFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVLYBGPG\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVLYBGPG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVLYBGPG\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJKHQC.bat" "
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SAONHRYIFPJKTWX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe" /f
        33⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHCIWE.bat" "
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FEPMLPCGCAQWOFF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe" /f
        34⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQSNLNDRYHTXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe" /f
        35⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNWIOT.bat" "
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNFXOLFVPAQAPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f
        36⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        38⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe:*:Enabled:Windows Messanger" /f
        37⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe:*:Enabled:Windows Messanger" /f
        38⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        38⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        37⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        38⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempBUUJS.txt

Filesize
163B

MD5
f327c16cb74029fa4243220f39138475

SHA1
1736ffd66d1fd493f13f9c3ffbab664d594f58ed

SHA256
10f8168e5a7479a998c5480189b6beed9ae6a1c23a11b3a35893312b1d56cab2

SHA512
e7358104bf4d9643c30eda1e1262b852ccd46a4f3d346d1d6236dc8b4b330a9dbd457b1a6e7981a154a9cb76705f12798bc8ad50f8cdba24969502b29b49102a

Download Submit
C:\Users\Admin\AppData\Local\TempCAJXF.txt

Filesize
163B

MD5
090748bc9602416f9a03c48ad61ffe32

SHA1
408364315e7c18e1f13ee32b2b0bdfd83418bf24

SHA256
1c9f4bb3392dacdaa6b8db0362ab5061a0847de96bf346840cf12fef4de95ba1

SHA512
4204fb2973487a41223d33970709cb683725113ff16854d793f28e0a2bfdbccfa48be98ebcfd9d9cdad3c385e3cb7697c62c4fd349333ca8b425e22e1a8ce007

Download Submit
C:\Users\Admin\AppData\Local\TempDPVMJ.txt

Filesize
163B

MD5
31c007ce79ffdf573e40fed954e5fc90

SHA1
72a289da49e205aa9e21b24d3a5709a2d426d0b7

SHA256
9406c07554dc63342dad58b6d17a593908f3fac754e51938dce56ab4988e9b2b

SHA512
db4e3b71e8c5a2ffc7975a6e6e58e23873ed8b1de66f0468790289bb3f9ef55e9f34a3662721b5a09f9be175e716c2087a29aae11dfd61172d1d81aaf76474f0

Download Submit
C:\Users\Admin\AppData\Local\TempENEYC.txt

Filesize
163B

MD5
42cbb906a357b23e88eeb5ff28f96129

SHA1
1615507daf3bb0185f426cce62510498779ad003

SHA256
fb04957debeee10eb6d671599f04687240537aafad8950ea7f3b2f59f7956034

SHA512
39d63695e07872510758ee89e3ab1f0ae680d778a67224ebc5d2e139506bfc2db9fa723ff2414cb9891a647be933d739daeb003d951be97af73e31151643ac8c

Download Submit
C:\Users\Admin\AppData\Local\TempFFYOJ.txt

Filesize
163B

MD5
c40ccc6024a32fa2c1e0ba2c35a0eeae

SHA1
5d886dd1fb775cd8affd36f73b5e126e397baf00

SHA256
236db63c9d6c1927e670efe893af4b151f28357d3cf2a9014ddd25dee444fe6a

SHA512
9c64772c50c1c4dfdad08a0225b21461498b949e0a4e05de1745262755c7f13fe16465dccfe8e06dc64ea9f345381341c4f288b04f1833b54b7173df2edcc5ce

Download Submit
C:\Users\Admin\AppData\Local\TempFVJQK.txt

Filesize
163B

MD5
939f400b02a02dc3f784830d43edbb5d

SHA1
1965896c4066f2fbd8c5a3c19964c1e47597bea1

SHA256
f79fb53cc696198f3eeb8d812023cc369772241435aaa2aff85425ca08babc6c

SHA512
e4237a1f3145eb05ab7e3c786558ec9a7424af63e59c2be0ff95c46903cd19930af8192277c89869fc8bbaddfcdfff9c841e683f0951e5765078e473134e5b54

Download Submit
C:\Users\Admin\AppData\Local\TempGBIWE.txt

Filesize
163B

MD5
9a3be5ddf0b4a7620f4823cccfda1a61

SHA1
df357a5f21eb4d4a7ccc2098d97957c6ed24aa28

SHA256
a22e3cd25a81ab63672c27427e93fd95fd837f00ffdbf82aa38d965e0da3a5c8

SHA512
2b770ca6651cf4be4878ece762846471c80f618252859e0851b91899a6d8fd0a7cec63e80ebdb274690aba82e908acb0c5e62384d5f220f57403ba3be54af5e1

Download Submit
C:\Users\Admin\AppData\Local\TempHCIWE.txt

Filesize
163B

MD5
5ce4ce301b96094b3e2ff575cb8354b6

SHA1
d285ad4feddd6a2776dfcae7af71d650863c114e

SHA256
5eb9141c3f29d806eeaa2335d62aa52fed2725909d0071e18178ba0a5f98615f

SHA512
a8ab34da72c4167db0b2914688268217d67b38bb98991b8769ddf0d96695937b3533e8a1cef3ab0712ab6cfaa3a4734a3d676c35d089ead83ce7ed92634cd279

Download Submit
C:\Users\Admin\AppData\Local\TempIJSOB.txt

Filesize
163B

MD5
152e2423f0fc3dd8d2f535bcf4f0e2ba

SHA1
f7d482bc72b4638e4081028ddc1c29e459d613b9

SHA256
1a5f815dc483c4e85a08219cbb21f06cdc89c29bdd91946030448590752479b9

SHA512
2854ab938e8180a7f562d6cd7f0f16e9e743cd7bd298c1c72911fea7d0b82fa70062c86f77e7f9b54f8904ecaa11506179adcbb9146bad6bd189bdd53bf73fb7

Download Submit
C:\Users\Admin\AppData\Local\TempJHPBH.txt

Filesize
163B

MD5
00b7af44531088a30a6650987a99ac2e

SHA1
7a862f2ac92c365d7aa9372c89dcce37bcf35510

SHA256
31cc9867679c60f20a00e3e5d05d20dc63a7b0e915a1889fb153195164c4fe65

SHA512
d50df0c790741e63dfdb7baa4b59a3133c3f8ab8e699fe34e016d871aab54e3c7947a5693aaed48e19ba4d2ab313c17460d9c6eee5a1c003214a2a3946f2b722

Download Submit
C:\Users\Admin\AppData\Local\TempJKHPB.txt

Filesize
163B

MD5
6997a2cd609eec7a7107b4e91afd3cb1

SHA1
4a2bd3b66e8932704ba33ad9d6cbc79e26689f20

SHA256
f04a18af9776605d53dbbb2d3926386c9d7504a3dfb2add06b774afa8b492ddf

SHA512
e899a35fca1071bfc34715bb65be4eefbdbc96e64157afad9b60cdb65bb39595fd3293d950b5c5abfb30a7562159739250a656f33e98d18c78851daab432661e

Download Submit
C:\Users\Admin\AppData\Local\TempJKHQC.txt

Filesize
163B

MD5
402deabdde613a3823a92710845b14c4

SHA1
4e25472785d5b0691f001ca3643660726bc86c80

SHA256
fdeffef0e1612f5350e4a155f24982df956989fc8f4841816ca66fe093006d55

SHA512
835110a7a51684539cdcaae9418cac7597bc3d0b4200fe0918d631fb75fddab24fe26bd7b09062e37757e61a9eae54f6d95cac020b924ae9184b5681d7f4623b

Download Submit
C:\Users\Admin\AppData\Local\TempMVREB.txt

Filesize
163B

MD5
f74194a2eaf34d298f2be73064ca60fa

SHA1
7a737f95795718d37ed121173fb2459b323bd59d

SHA256
346c71925dd5b34b92f0c58668ba5de5c209c66346bec24e0e0dac7f37762c49

SHA512
edac3713c34eafa7ce54859afa019583e99b45dd5271ce2934726e97ac75d27f5267f6dd9a832ae73981291f554047f99f1306438f2c5e1d48e1265faa2a7a6c

Download Submit
C:\Users\Admin\AppData\Local\TempNOLUG.txt

Filesize
163B

MD5
4eac31b6ee9115d1e2a55770a37c7459

SHA1
262df2476b7a1b86c5d67b6ef1eabe393723bcf4

SHA256
fa42e075383a7582297fe0b7a3f7c4a60d81793ddebaea33d26e04442c57151b

SHA512
fa9ac5ddf495cb2a26c6846334160f337889f40da67ce96ef87da04745e0367be5dafd02dcad8725514dcebba8734df4cb58b7046fb5d19831235039a27ff743

Download Submit
C:\Users\Admin\AppData\Local\TempNUJJK.txt

Filesize
163B

MD5
946143a6b6c3e705ef6dcd819920831a

SHA1
9efa98ad100f0964331bc437d5cc9dfdc01f5004

SHA256
fcfe190704ca20233df417b476b75a0c7c1614c512fb34f286b3804e55bbc77d

SHA512
9e7b8b9c7434937ef5dd499dbd3e441e739a930d4f6e63ca84ec22b41e91b0fe8f68c0345d9f6afaf3ec0069467347d823b92b1532ce8014a5aa506366c723c4

Download Submit
C:\Users\Admin\AppData\Local\TempNWIOT.txt

Filesize
163B

MD5
61a92c2f8da5613819787016952ca2c5

SHA1
216e3f83607296b70ca3ac6bbac03a31223acbb4

SHA256
d9ce8e32face4e4cff99fc4a2b26a6bc838429253ecb1d919c9fe63f0a4a948e

SHA512
4411208c58bf40fbae47e697c2ba281ee752fd2c7e2e44882d2419f57b3a6d72790f61549e1047115593dbc58d1f67ff1bfeb328bb6ea51c5c56f6c379f57f8c

Download Submit
C:\Users\Admin\AppData\Local\TempOLQLS.txt

Filesize
163B

MD5
d3dcd08d7bcac530c8a11c84a5b2e749

SHA1
fc5d0d2e848a95655485b08aa973e31995cc0277

SHA256
2c271da8a16e4c8f439eb60c8c5e44910557b616a96d5cf798397f9608ca42a6

SHA512
fd65e2b62119fd970d18038c13be7aa5bb06ca9591eb4b43738759c76696f1a2f3ce85e5706f451f806b2fc4263d5fb5aceaf80f81c6a97d8dac7d31f9a15742

Download Submit
C:\Users\Admin\AppData\Local\TempOULJN.txt

Filesize
163B

MD5
bbab4fdc47265a5a4a42a652ac7402f5

SHA1
6f40b869c36d1aa1ff025d2654c00f057f515037

SHA256
3fd203226689390068cc8f7187319a3b8f965d345192aa54d9fc077f57e5ba41

SHA512
80086acc8ccc6ff718890a942cc249ac28d0a9135c529d1e0c3d02ad72bf9aba724b5195d1f18445449c5282076ad779504c59af363e80a054986525f9ed41c2

Download Submit
C:\Users\Admin\AppData\Local\TempOXTAB.txt

Filesize
163B

MD5
9f29f98f5bef0c6c1cfe66e62746c44f

SHA1
80d10a68536e4e3a549cca70c2708305afd0ccff

SHA256
e0ff6940049c4dc828c4242d21d90271a74d07e9c0f08f1d87bf7652322f746c

SHA512
92b0f0ae36e42998a18c96ec9fc914ff7cc931329ac690eb47dd5517351fd38464ad943a078124ba16bdc3614e8a72c68ede842e22387b3e6b6ae6400d475e70

Download Submit
C:\Users\Admin\AppData\Local\TempPYKQV.txt

Filesize
163B

MD5
f3d893f0225fca62e264e5e42feb46b8

SHA1
86e18db9acdcb651c9e4dbd61dc422f8b8e11735

SHA256
1a365602dd07c8b9002aea168717f642f9510694ecb2e5e9aa90c40b2396c4a1

SHA512
7809d0562b16cfdb2749ccd210d8a15485026a0a6044d37b814ed69385f47b3ceb5182ce4235be575fc8041c064b7bb8613da067c5067f704c61bbabc6f438e5

Download Submit
C:\Users\Admin\AppData\Local\TempRSPYK.txt

Filesize
163B

MD5
2403a927f65cc1f96001f7decdcd66f5

SHA1
1d1f147fde01765b788f17223954098d9ff11b88

SHA256
901ccda4d779eaef4ae4770838c54bf1ff04a5c4c753345e0420180b4e7f89e2

SHA512
890c5b4cebdbf63c5a11dce5678425f694d49a01efbb2579fcf17c86400633d6afee0cab7aba252aaf56c080e99a72818b0397d3593c128c1ea8df59646d5576

Download Submit
C:\Users\Admin\AppData\Local\TempRSYEF.txt

Filesize
163B

MD5
3f557a7e7ee27e82615118a55d1cfb4a

SHA1
2aa9f125d27ccb9aa10ab85955ead9cb0b22013b

SHA256
973a85b9f862f6568f889eb3f23cea3531c6d841e9e5a5d110164757d36cf8c8

SHA512
d7890627568184b12c39d9c0846c1557732084e172efb396c6e3d4776992a7d307505c46733ea9dfa9b1b155a10efebad9f1581332a5143c388ce6cace531e9f

Download Submit
C:\Users\Admin\AppData\Local\TempSAFCR.txt

Filesize
163B

MD5
e246fcf7d952b8c2ba6960de97641dfc

SHA1
95ffe8659d05e94c5feeb701e79e72fc62f64270

SHA256
7a352e7c9c5b078ad63b202b82b3f8d8ec83f08d7b103107030a0db209fc24d1

SHA512
46e23504262ac58e52f97e1dd7a6c8320cb5ec165b84e609d53bbabc017c93526e9907d0fb03eaff85577fa5ae2183657ae7a47c1137cdc4f0b94c9328609186

Download Submit
C:\Users\Admin\AppData\Local\TempTEDHY.txt

Filesize
163B

MD5
f7d9919c9a11191de47a2ab6e2873632

SHA1
d5291a3605a0fae819b72430449799b19ff1a10a

SHA256
d7f3b80e6e5eecbae7611d607e92d2cb458c9bf1dc5d7cd2dfc219ef25972b9a

SHA512
48234e699f3484510a294ae20e6c6f7bb0e1b7c489f104d33055cdc00adfc8eadf89e6e637badc2a75f765a69d35b6deb4daf3dda0e700f6dc7dc2e8a49ddaf2

Download Submit
C:\Users\Admin\AppData\Local\TempTMPRW.txt

Filesize
163B

MD5
6f7e6c9432483beeca815caea51e7d46

SHA1
e7f4c95e0360036deaf65fb821f8987a5cbc12c0

SHA256
b53d638269a261058b03bab10124af4a53d842a2218456a6a255ee408e0c7c42

SHA512
6850664562e19b6440c2fb168395d788a1669f2a46f983f432845489766a8c39176266bbdfc2e31bc2713808d273fd280651a40c32beb7f75dde0e92b2ff84b1

Download Submit
C:\Users\Admin\AppData\Local\TempTPXPD.txt

Filesize
163B

MD5
7531dc6e7c17ae9a27d319fba48de20d

SHA1
e18adaf810103ce09c3063def610037d3a472080

SHA256
cb50ce959c42522cc19f5c7a5434985e073e4d1010cb7933da259eb662300dd4

SHA512
e98476ebc6e4b7f2b9020a3444f1abd89ece501f0e4e74deaba431a2f70b17747dec7f5c02ddb1bf48e6cd2c67f157f71e44831d4b7e7603bf8f4ae1d6b7fcb6

Download Submit
C:\Users\Admin\AppData\Local\TempUFEIV.txt

Filesize
163B

MD5
a7f29c655c9872138c89aa16608f66aa

SHA1
364b20abb1c8efe0f64a7932826c5fee409efb43

SHA256
89f6ff4a0bd1ca5da799ceea4b9a8ceb42a59ae14d2bc65752258168e3e5328b

SHA512
d0d8f36ad9eeb6c6bdf5dd125675afbda7ab6cd62e01f5dfa8fed25dbae730ddf00fbd0bed29436d5c92aebc93cc58244bccbcae4974a8109a037d29adc2e8ec

Download Submit
C:\Users\Admin\AppData\Local\TempUFYYN.txt

Filesize
163B

MD5
5d4766d585a46e424bddf87c4fb7828c

SHA1
151c92e29ec5dd2581dac5b1ec770fa79b033060

SHA256
b83f02b0cd1bb935ebe846acf2dc9ccbf711359be5e3ce1086636c5c2d36b4f2

SHA512
c6192357d9fe819995a28c570eda130929305c69d3926fba584a2f776f321381072df4e935eced4dc0e759669fbe0f27aa4f4204d1e5104473eafb742d19f499

Download Submit
C:\Users\Admin\AppData\Local\TempVGSDC.txt

Filesize
163B

MD5
ad0d3ce9d701bdf7b063f67a251e8a7a

SHA1
a50a7cfa02511bd3ea8d8780a4f2dbfa1ee5d4a3

SHA256
efecabf7a5869a1d9ada43700504aa28f4b106e711317e3f5c0192adbe45e994

SHA512
df448f65e453bf27508523f09a108999a37aa7be7f4d7369e9b054bb99329df1df08f3e04d24b9d8f3c27f76d5d782007c74d5fccff12adb8cf3b494325a3b58

Download Submit
C:\Users\Admin\AppData\Local\TempVHFJX.txt

Filesize
163B

MD5
80e9dadead05662d6617aea90188dbe4

SHA1
899035a614c72bcb26b31011eb63aa89b5142914

SHA256
a144536a2fd5a2737935170ceea701b469b573f32d564d65d1fa1f3f144d93f0

SHA512
33f4dd56d6d3377c72374ada5fa4541536259f456c8e4235e25cbbc6cccce126582e413dd414575dff9e2b4392a3eb057e974667c8caca33fda2929cb6d70463

Download Submit
C:\Users\Admin\AppData\Local\TempVHOSE.txt

Filesize
163B

MD5
bd6ef03451e88caaeed81bf9d7823359

SHA1
62809a2376a8a11b5fc13c8be32396c6078efccf

SHA256
5e8268494d3c001d1ed6eaeccf7ab3724d016fde8d7ea75ecbff7f63f6281ae2

SHA512
9f6255bde0d7d40a546237a6d62a83d6210c20c1fd9a89e82e7f89d550e42f4119f56c7afa7d8e4c4b7fc3a55fe1408bc12c23df9b52f6aa953f9e974a4a7be3

Download Submit
C:\Users\Admin\AppData\Local\TempVOPYO.txt

Filesize
163B

MD5
bf19cb1e62dfc01b84f4408c04b7f36c

SHA1
929c72f8872e602d2675addb14bca843095ca352

SHA256
a9d9898076bf9d5d7674030f325f7ba7228fc157ed8c7ad79be18db59b0c3036

SHA512
ce563a98688e4570ac87a919effe714c711c67f614f53275a581673ef880e9459dae57320e92d94dfec922cb4ab7d58542b0ba5748ba4af951991ad360d49628

Download Submit
C:\Users\Admin\AppData\Local\TempVRRGO.txt

Filesize
163B

MD5
49d735db36314abfd3586a3574d95d20

SHA1
93d55ceecc9af74b9f00faa403dd9b55519d46ce

SHA256
39ac97bc5a01915a45e5832b559b4786685434e0bf182b8fe787d64793be4d1b

SHA512
d06f602b24c50655075e2dcc62c2b62605f191615fb1b4a0e4bcc55376f6d1c59f9035b89a15e0830cd07faaab8aa3d8e74cd1ba31b31d05067a2fdb5b1143f4

Download Submit
C:\Users\Admin\AppData\Local\TempXAMYJ.txt

Filesize
163B

MD5
3064c9a63e8f85d6ea4736364aefe08f

SHA1
40adbf73e2852068eb366e171948fa4341cf70c3

SHA256
c3204a86ca655c286298e56b5bf3ccad1c57d4bd9f1a223a326bb408f92d9dd5

SHA512
f46027d46149395dad5e4fcb0c8f7358fb7b1bf88667575b15c7e7f65f9744c34d4b985321467d48c79ea481f8289cd37d31d90f604ee01b558abba451382d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe

Filesize
520KB

MD5
9ae3293edeab1924a66126d3f94427d7

SHA1
4f2c728bcda16e77bee9ac8c4454d37216feb6e6

SHA256
b307486eb4e4fc06d8452dda297b42212bb74338b0077ee1683ae44c3365f426

SHA512
ca772f88b96e1cb12048c18907e6f1e022d7e51c7476559eff955974cfa9acd687737dc6811b6130c6036b0ec2070a72eeb422e328c11e64a6141af78250ee75

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIRJFATYKLIQCJN\service.exe

Filesize
520KB

MD5
f80a2fb719dc78bc045233370101f423

SHA1
f67ae009f035fcebf0c6b8b57acfe850fd76c70d

SHA256
c044de37d6232513baef643088a6cc9a8dadf9a72ca3295b498b988c4fb39f90

SHA512
a38e83401f3ede262706d252341843218e084e1e503d198de9d9daf9563c3f9ed4dbb8ed91ccee2df1e221d2cdc9481f4e11629383659730f7ebb82523d51aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKTFLQ\service.exe

Filesize
520KB

MD5
f8f009eba2061ba6bc1fd835f7caf563

SHA1
c02cee94912f9e36e87db846080e3ade08aa9062

SHA256
0721654429e171c8362f231c589480aa5ff5f8046d70075035472fed779c600c

SHA512
3d5adc9f1b9f14f769ba703f16c47e08adbb6c860f511739f479fd74a3b0192d3e57d11deaf178fe7fcce84dd4e6c2137df93e9a9eb50af9acc59dbd2bde2f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe

Filesize
520KB

MD5
c93474b0dfa3d2da6bd22c52d9a426e4

SHA1
9539519be22e821e50c9c8ffba984b54a58e82ca

SHA256
0966d5110abdaf86aa0aa3dd0492e3a47f7dbc3526251131e960d0166b5d7228

SHA512
95cef56c91d0a80d70ecc89f17692794a9c877c7e162123355314c462aa9a847f3faa48dd2749af6654da3ba920772528a2a792591e988d40da72d7c0e943321

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe

Filesize
520KB

MD5
d05f0b92ab3488604fd980336da79f01

SHA1
fe27a09ca979330b9a8690becccb3e7a7eaac446

SHA256
93405a5938e4aa76fa2db4ee0c0de6d59869e366e345cdf6851c4f9a79982d05

SHA512
d19f1802e70d8f24df87e0864e8a5846e1fb96a11432c7a3b1476693958775ffc2810450f1c0b713176b6a113d6b5c90fee81708d951a18c8aad33a5aacb7c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe

Filesize
520KB

MD5
e4d763422f6e1fc9032cab53c03ac89f

SHA1
dd6503798451cd68c4a0972c2de3c216773491bb

SHA256
655d0651e0f381da9d4aa68960772cdaa88e6464e3288edafe459b1da018dffc

SHA512
19e3c32c041d79d7b1f3f661b1405e734683d12201dabec38e9c25f09ae38a9a793b841604256b9943e242db2bd6eb888f84eac66272da5f286b58f2fb0d5fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOFXPLGAAPQNWIO\service.txt

Filesize
520KB

MD5
503eea4c13e45d8673ee5eb66a7517e1

SHA1
682e3b4d4532fc69c848b64645a8113efcfdd503

SHA256
25418851d0ce12269d2c622ed4f49bab9e1bc7d51f1340981f6d08ea598afff5

SHA512
9e27e48ad3c2ca346724e05d0330f6a91e4eebae5bdadefa46931f19091a6995bc6630c64597b34c80993097183d1262977ca2998930dcb7adfaae2bf893fd50

Download Submit
C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe

Filesize
520KB

MD5
344f00bd2d05256a164553c25d2e5bb9

SHA1
aef4841b7d22f874998392ec6be2b39da3712f84

SHA256
8bdb7eaf69e4fd6c7b2d71e31225f5981cf22312d74682f61b63ffc50163fc6e

SHA512
608f47c375ddc988cfe8d3de5e51b9bb87e83820be4c180bdf8b68b6d1a2ece00d4f7df42eaa8f33c6a0a8b112c3cc0ba9800226401919b202b1a0cb7a3e9964

Download Submit
C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe

Filesize
520KB

MD5
d8d5c8797ee2740d6d362799f59ac0ae

SHA1
515339a4e85381adcf5eb00a0e5428a7e974624b

SHA256
54d5854b87fe77eaedba002ff371ee1a1f601855302d64a2a0ef8597b9ea8bcb

SHA512
8b6f38bde22448c6af321e1912c65ea3ef222a874cf99de0f7783097497edd6b2d8e6c86e723cbcbadfde411cb9e41e6d5e872c1aefb5034d2f07fa4b376e5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTIWENE\service.exe

Filesize
520KB

MD5
fbf48c34d4ef092dd3255274e46ca86d

SHA1
40366a8cde95785daf0ef89b26314751b05f2b8b

SHA256
bbbb06aea48f6fde36a1183a8b26d6383154cd8eaa5186d3fd93b2599e50e3a9

SHA512
8d66582c0e52f2814a515e33756a419b8fba6a0a55145cc995219939523c3f99e72fba232baf53bc0552dadaf912798751a3a97805c9cc2dfd8f9d1403c7030b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JLXXBYTRAYUKXAF\service.exe

Filesize
520KB

MD5
4e92a82139e5c69e799b4bdb815e765e

SHA1
e0f47c05e623045f4266b02714a2fbf64b9054e6

SHA256
3ea5ed46d44c09c3a6f0aeb6e2fb01454790d7e296190e26de3d920b350ec255

SHA512
b071f6a6617d4c10617eaafe6fe601932f793d322109fe94db2c833800fb2da09b12b08f60c400d5c81ed155fccb480e404296aa03ce4cc2519906003e79ad01

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe

Filesize
520KB

MD5
061ec9ddb9c35124d65f729d926219fc

SHA1
abaa5acdc45acd210ced0511b8d0fba9db2f5bca

SHA256
1d3dd909bc9d31caff7148467d6e875e8ffb269facd5d6af6a618926fe9b1db1

SHA512
7c312c16c71204fc4fc87f044bd8d0f5b052187dd77e1a857e28c4f0f46c5a696725173e0921feb45c040ba9ff1ff7ed5e0b927a06939918eb607f812116a7b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAHC\service.exe

Filesize
520KB

MD5
803e30dfaead9406a01931a644e9c6a1

SHA1
ee35eed225d494ba1a060b5618ab4e5ec9e97f62

SHA256
8225fd9bd9aad11d279d6e6950131ec3e79e23dc4ce209d2570e9770e4a91196

SHA512
4e09c04a6c1860ea4de1ba0941205c8579e51bfd47e5a312a31e1cbbff7984e51e331ac26d986149f5085407d056073ed82255b086d3af3119f18a22cc4f066e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe

Filesize
520KB

MD5
6b68e9e1f07bd040fb7240e3a276872c

SHA1
a5d08f54b9bc4e80025b2955b8940880b94f7bdd

SHA256
11203f9478e6290bb75c0c1acb864e1cb77edb9406d2c52fe9325792c9d48a16

SHA512
6e50b0215cd7892784250ebd37b320020450193e2c29bc737aebcb7c52380d13d5dfedc34808d8c3595e54bde7165829fc1c1c0862b533a5098520eb0c6c7185

Download Submit
C:\Users\Admin\AppData\Local\Temp\RJIQFEFBGBWREMG\service.exe

Filesize
520KB

MD5
52a68c22d624fe27e22fe19e32ffa096

SHA1
d5e3a60a350414982564f2e820c0093e7452f5bf

SHA256
4527a6913d85a5275459031e667714a558cff18146782a57609d5ac98e5e155b

SHA512
75b8a2f6ab48ccd0ed8ebd0ee606d5c4ccc358d00678f206bc025882a01594fbad6aecdad0e5c21a7bba50485383b85c4e087dc7c1b5d2753f3780e1058d9732

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe

Filesize
520KB

MD5
fb9003ebd943d78a488e360431cdde65

SHA1
1fbebc82e2662fcc1576b38268f38224316c07df

SHA256
cc80d9f4e81499623a88ce794871fe4b4dcb7037a6453072887c7525cfbd9c63

SHA512
334b3399d70c362b9d6964ff91afb6cb8a9f90cac555446f0aa5d396c4a0882aa81f3421803cff994fbdcdd27475f2195c8d983d9241adec15863a72e04b415e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TASDPOPKJPLBOWF\service.exe

Filesize
520KB

MD5
a62708e67659460abfa9965d42cd2fd8

SHA1
38e474f1244ee0d40b17dc3ab5bc2ebbc3340aa6

SHA256
f98273e03769378301c67f824b382ae1564640b7a5d3cd2917e4dca2909fb5a8

SHA512
538c5742c73015d9dd12dc03e678633192c758d93e5b55525639cc23d4f597ab526746350b1640f7bdbe5f707f0a98ddb637950d4443b0be7704ce687f28f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYOIBGNWNSKSGQH\service.exe

Filesize
520KB

MD5
e37d733c6118954471d794b37202eb05

SHA1
bd9e1de784e9a1955b449595c9a02f825ff3e9d0

SHA256
0e5d197a3499ddfc0b11d9ef814af24226ad34a061d635504baf7d7b156d5f5e

SHA512
d02be7c673811684e64006973080a79e6107a6ef11ea00a4cc941faef1617f6f8b4a2a0f031e627fe796f9aaa2ec4e1f5fbb89eadf45fff0d60ccdfd2e7dc986

Download Submit
C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe

Filesize
520KB

MD5
82175519e8acfc114e6fe453f347b73e

SHA1
2a6a8e6e1dd9556f16088ecc490613b490cfab35

SHA256
16368ec69964e887cfae5fa8951301e1d759d3ed575e1577e2be06aa850373d7

SHA512
9fa2fef3b5e4d917053a71ff1e0d3b1da1c78707d3d06b7370abfbd5dbaedf30c9e94ff0d57c4977682a8fa856c07cff0f62d86fda12e2c1de04d041ef67c7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQKDJQBBPUMUITJ\service.exe

Filesize
520KB

MD5
ae0a1d3281c97e51c23377fb6339bf24

SHA1
59fa248963fa332f04fcc2db73e810214651c674

SHA256
05d8b5058a3e392636a243b18d427a867a0c37cfda9ef806965c79baa4148e11

SHA512
929a80edb9bd92e8f301f76c1ad7e02e5d141524fe051cf7bd47d5b8f1d2375665f488b531fddfab121120b3f638963c0342cb80cbfc15b71bb1589bb0008060

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe

Filesize
520KB

MD5
21112daf4e4f2da5fd2ab0c1d36129ae

SHA1
0b73b6c26ad8572a67f976b052687ca3663377ce

SHA256
966862bcb44d4d7d21e39570dd5c8f33447c42041ff69434c7a32df79038b481

SHA512
d160f76827faf6f267c4a730750ee6aad6ef6276e86a692c5b2706ddbc23fa17134076f06b419549b74374e125fbc750ec8f08a01bbf330c07cc93213e2b308f

Download Submit
memory/1252-883-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1252-882-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1252-888-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1252-891-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1252-892-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1252-893-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1252-894-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1252-896-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1252-897-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads