blackshades | 2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/03/2025, 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe
Size

520KB
MD5

87c6602ec971cbf7d11c460fdb1a8cfc
SHA1

69fd69bee8a85ee0c7742fefed29eaa17ee020bd
SHA256

2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32
SHA512

aa1b3b51880870bfe2597a594e03974848ca5e826a2e6e5ee256ddcd15d0fbc6b28442b6bc8bb113ed28a7f412d303bdcedc54e49d9c15efb037687a43a8281f
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXX:zW6ncoyqOp6IsTl/mXX

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 8 IoCs

resource	yara_rule
behavioral1/memory/2864-1050-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2864-1055-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2864-1056-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2864-1058-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2864-1059-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2864-1060-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2864-1062-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2864-1063-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQQRMKRNCQXG\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Executes dropped EXE 42 IoCs

pid	Process
1632	service.exe
1408	service.exe
2848	service.exe
1540	service.exe
828	service.exe
1864	service.exe
1924	service.exe
1580	service.exe
1740	service.exe
348	service.exe
1720	service.exe
2884	service.exe
2036	service.exe
2044	service.exe
756	service.exe
1576	service.exe
1436	service.exe
3024	service.exe
2608	service.exe
2980	service.exe
2924	service.exe
2644	service.exe
2232	service.exe
2328	service.exe
1468	service.exe
1676	service.exe
2040	service.exe
2440	service.exe
1996	service.exe
2140	service.exe
2880	service.exe
1784	service.exe
2416	service.exe
1656	service.exe
1900	service.exe
1792	service.exe
2792	service.exe
2544	service.exe
1260	service.exe
1616	service.exe
1720	service.exe
2864	service.exe

Loads dropped DLL 64 IoCs

pid	Process
2764	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe
2764	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe
1632	service.exe
1632	service.exe
1408	service.exe
1408	service.exe
2848	service.exe
2848	service.exe
1540	service.exe
1540	service.exe
828	service.exe
828	service.exe
1864	service.exe
1864	service.exe
1924	service.exe
1924	service.exe
1580	service.exe
1580	service.exe
1740	service.exe
1740	service.exe
348	service.exe
348	service.exe
1720	service.exe
1720	service.exe
2884	service.exe
2884	service.exe
2036	service.exe
2036	service.exe
2044	service.exe
2044	service.exe
756	service.exe
756	service.exe
1576	service.exe
1576	service.exe
1436	service.exe
1436	service.exe
3024	service.exe
3024	service.exe
2608	service.exe
2608	service.exe
2980	service.exe
2980	service.exe
2924	service.exe
2924	service.exe
2644	service.exe
2644	service.exe
2232	service.exe
2232	service.exe
2328	service.exe
2328	service.exe
1468	service.exe
1468	service.exe
1676	service.exe
1676	service.exe
2040	service.exe
2040	service.exe
2440	service.exe
2440	service.exe
1996	service.exe
1996	service.exe
2140	service.exe
2140	service.exe
2880	service.exe
2880	service.exe

Adds Run key to start application 2 TTPs 41 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEMDVNJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYRWPFPJHKWXFS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\AXFTSEMEVNJEUNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFFGBGCXSFMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\DXCPFTPMRERTOHL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WYOIBGNXNSKSGQH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHBUXBSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEKRCDQVNVJUKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\SXTHTFDHVWJOVWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQQRMKRNCQXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVWTCDOULJNIQEF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBXPVNEOHGIYVVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEDQGUQOTFSVQJM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOTLTHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HUBLYUSCXJDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNGMTEFSYPXMWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TKUQLUFVAFUVSCN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ANJXVMWPOQCGLYK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TCCOUKIMHPDFXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUAQLGBFVW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MMGPYWHDOHIYRUW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASLQXJJDXBEUQR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\YMNIGJMTCOTDPBY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EOXFCQUGHENFKYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNSOCPAXDVUQREK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPAXMLMIGNIYLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQSNLODRYHTXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJBSKGBVLMJRDKO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCPFTPNSERTOHLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBGOXNSKSGRHD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\JIVCLVTDYKDXEVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTYAQYMXN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HMJJURPTOWKMELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHCXSGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\BNTYKHLGODEWUDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTQKFAFUVSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\UYVJVGFJWYAKQXX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSRTOMTOESAI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\RSNMHQXIEPIJSVX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMIXLSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TTGIDBDYTHOINKV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAUYWKPUBBHAE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEYDQGUQNSFSUPI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCHOXAAOTLTHR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\CRSPYKQVHEIDLAX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANTKSGRH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\FDOMKOCGBQVOEEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXFO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\XDEBKCHWVJKFEGW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWMGELUKQIYQEOE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNTYKIMHPDEXVEE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LDTCKUQLFAFUVSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\FBPVNEDFAHVDRQC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FSORVTVHLREBQYP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSYPXLWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\XUTXKBOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUKDCJSIOFWNCMC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HWWJLGEGWKRAMQB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRCLVDYNSXEECKD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\BEPQMKMCQXGRWHT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYJKIQCJN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\LAVRMVHWBGVWUDO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPKXNXRPSDINAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\NAMULAVRMVHWBGV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANSKSGRH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TPDQBYEWVRSFLSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQAYMMNIGNJMTDO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\EDOLKOCFBPVOEEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWBYTRAYUJXFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOJHKNUDPUEQBAE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCRVHIFNAGLB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\LIIUQOSNVJLDKKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEGBGCWRFMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\FTAJXSQBVIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFKRDDRWOWKULG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\BNTYKIMHODEWUDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDTCKUQLFAFUVSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TSEMEVNJEUNOYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPGQJHKWAXF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\EBFAIUVQORGUCLC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEWNKFYOPMVHNS\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
112	reg.exe
324	reg.exe
996	reg.exe
2376	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2864	service.exe
Token: SeCreateTokenPrivilege	2864	service.exe
Token: SeAssignPrimaryTokenPrivilege	2864	service.exe
Token: SeLockMemoryPrivilege	2864	service.exe
Token: SeIncreaseQuotaPrivilege	2864	service.exe
Token: SeMachineAccountPrivilege	2864	service.exe
Token: SeTcbPrivilege	2864	service.exe
Token: SeSecurityPrivilege	2864	service.exe
Token: SeTakeOwnershipPrivilege	2864	service.exe
Token: SeLoadDriverPrivilege	2864	service.exe
Token: SeSystemProfilePrivilege	2864	service.exe
Token: SeSystemtimePrivilege	2864	service.exe
Token: SeProfSingleProcessPrivilege	2864	service.exe
Token: SeIncBasePriorityPrivilege	2864	service.exe
Token: SeCreatePagefilePrivilege	2864	service.exe
Token: SeCreatePermanentPrivilege	2864	service.exe
Token: SeBackupPrivilege	2864	service.exe
Token: SeRestorePrivilege	2864	service.exe
Token: SeShutdownPrivilege	2864	service.exe
Token: SeDebugPrivilege	2864	service.exe
Token: SeAuditPrivilege	2864	service.exe
Token: SeSystemEnvironmentPrivilege	2864	service.exe
Token: SeChangeNotifyPrivilege	2864	service.exe
Token: SeRemoteShutdownPrivilege	2864	service.exe
Token: SeUndockPrivilege	2864	service.exe
Token: SeSyncAgentPrivilege	2864	service.exe
Token: SeEnableDelegationPrivilege	2864	service.exe
Token: SeManageVolumePrivilege	2864	service.exe
Token: SeImpersonatePrivilege	2864	service.exe
Token: SeCreateGlobalPrivilege	2864	service.exe
Token: 31	2864	service.exe
Token: 32	2864	service.exe
Token: 33	2864	service.exe
Token: 34	2864	service.exe
Token: 35	2864	service.exe

Suspicious use of SetWindowsHookEx 45 IoCs

pid	Process
2764	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe
1632	service.exe
1408	service.exe
2848	service.exe
1540	service.exe
828	service.exe
1864	service.exe
1924	service.exe
1580	service.exe
1740	service.exe
348	service.exe
1720	service.exe
2884	service.exe
2036	service.exe
2044	service.exe
756	service.exe
1576	service.exe
1436	service.exe
3024	service.exe
2608	service.exe
2980	service.exe
2924	service.exe
2644	service.exe
2232	service.exe
2328	service.exe
1468	service.exe
1676	service.exe
2040	service.exe
2440	service.exe
1996	service.exe
2140	service.exe
2880	service.exe
1784	service.exe
2416	service.exe
1656	service.exe
1900	service.exe
1792	service.exe
2792	service.exe
2544	service.exe
1260	service.exe
1616	service.exe
1720	service.exe
2864	service.exe
2864	service.exe
2864	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2800	2764	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe	31
PID 2764 wrote to memory of 2800	2764	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe	31
PID 2764 wrote to memory of 2800	2764	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe	31
PID 2764 wrote to memory of 2800	2764	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe	31
PID 2800 wrote to memory of 2736	2800	cmd.exe	33
PID 2800 wrote to memory of 2736	2800	cmd.exe	33
PID 2800 wrote to memory of 2736	2800	cmd.exe	33
PID 2800 wrote to memory of 2736	2800	cmd.exe	33
PID 2764 wrote to memory of 1632	2764	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe	34
PID 2764 wrote to memory of 1632	2764	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe	34
PID 2764 wrote to memory of 1632	2764	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe	34
PID 2764 wrote to memory of 1632	2764	2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe	34
PID 1632 wrote to memory of 1048	1632	service.exe	35
PID 1632 wrote to memory of 1048	1632	service.exe	35
PID 1632 wrote to memory of 1048	1632	service.exe	35
PID 1632 wrote to memory of 1048	1632	service.exe	35
PID 1048 wrote to memory of 2904	1048	cmd.exe	37
PID 1048 wrote to memory of 2904	1048	cmd.exe	37
PID 1048 wrote to memory of 2904	1048	cmd.exe	37
PID 1048 wrote to memory of 2904	1048	cmd.exe	37
PID 1632 wrote to memory of 1408	1632	service.exe	38
PID 1632 wrote to memory of 1408	1632	service.exe	38
PID 1632 wrote to memory of 1408	1632	service.exe	38
PID 1632 wrote to memory of 1408	1632	service.exe	38
PID 1408 wrote to memory of 2052	1408	service.exe	39
PID 1408 wrote to memory of 2052	1408	service.exe	39
PID 1408 wrote to memory of 2052	1408	service.exe	39
PID 1408 wrote to memory of 2052	1408	service.exe	39
PID 2052 wrote to memory of 2908	2052	cmd.exe	41
PID 2052 wrote to memory of 2908	2052	cmd.exe	41
PID 2052 wrote to memory of 2908	2052	cmd.exe	41
PID 2052 wrote to memory of 2908	2052	cmd.exe	41
PID 1408 wrote to memory of 2848	1408	service.exe	42
PID 1408 wrote to memory of 2848	1408	service.exe	42
PID 1408 wrote to memory of 2848	1408	service.exe	42
PID 1408 wrote to memory of 2848	1408	service.exe	42
PID 2848 wrote to memory of 2916	2848	service.exe	43
PID 2848 wrote to memory of 2916	2848	service.exe	43
PID 2848 wrote to memory of 2916	2848	service.exe	43
PID 2848 wrote to memory of 2916	2848	service.exe	43
PID 2916 wrote to memory of 2936	2916	cmd.exe	45
PID 2916 wrote to memory of 2936	2916	cmd.exe	45
PID 2916 wrote to memory of 2936	2916	cmd.exe	45
PID 2916 wrote to memory of 2936	2916	cmd.exe	45
PID 2848 wrote to memory of 1540	2848	service.exe	46
PID 2848 wrote to memory of 1540	2848	service.exe	46
PID 2848 wrote to memory of 1540	2848	service.exe	46
PID 2848 wrote to memory of 1540	2848	service.exe	46
PID 1540 wrote to memory of 2512	1540	service.exe	47
PID 1540 wrote to memory of 2512	1540	service.exe	47
PID 1540 wrote to memory of 2512	1540	service.exe	47
PID 1540 wrote to memory of 2512	1540	service.exe	47
PID 2512 wrote to memory of 1936	2512	cmd.exe	49
PID 2512 wrote to memory of 1936	2512	cmd.exe	49
PID 2512 wrote to memory of 1936	2512	cmd.exe	49
PID 2512 wrote to memory of 1936	2512	cmd.exe	49
PID 1540 wrote to memory of 828	1540	service.exe	50
PID 1540 wrote to memory of 828	1540	service.exe	50
PID 1540 wrote to memory of 828	1540	service.exe	50
PID 1540 wrote to memory of 828	1540	service.exe	50
PID 828 wrote to memory of 2480	828	service.exe	51
PID 828 wrote to memory of 2480	828	service.exe	51
PID 828 wrote to memory of 2480	828	service.exe	51
PID 828 wrote to memory of 2480	828	service.exe	51

C:\Users\Admin\AppData\Local\Temp\2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe
"C:\Users\Admin\AppData\Local\Temp\2740dc3bc52d850a57761bccdbfcb25d7f457df3c0a96f595b719b936a51de32.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempYWFFY.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVWTCDOULJNIQEF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIYVVD\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2736
- C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIYVVD\service.exe
  "C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIYVVD\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SEMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:2904
- - C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe
    "C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempYOPMU.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AXFTSEMEVNJEUNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe
      "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSQUPX.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTGIDBDYTHOINKV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUBBHAE\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:2936
    - - C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUBBHAE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUBBHAE\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQSNLODRYHTXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJRDKO\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1936
      - C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJRDKO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJRDKO\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLNWSF.bat" "
        7⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEYDQGUQNSFSUPI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCHOXAAOTLTHR\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\XPJCHOXAAOTLTHR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCHOXAAOTLTHR\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNWSAF.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFSVQJM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDGHRM.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKBOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUKDCJSIOFWNCMC\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\RUKDCJSIOFWNCMC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUKDCJSIOFWNCMC\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWVSST.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJHKNUDPUEQBAE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVLJNI.bat" "
        11⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAVRMVHWBGVWUDO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWUDOU.bat" "
        12⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NAMULAVRMVHWBGV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPXODM.bat" "
        13⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LIIUQOSNVJLDKKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGCWRFMH\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGCWRFMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGCWRFMH\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBYTRA.bat" "
        14⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CRSPYKQVHEIDLAX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNYVBT.bat" "
        15⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWWJLGEGWKRAMQB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRCLVDYNSXEECKD\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\YRCLVDYNSXEECKD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRCLVDYNSXEECKD\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBIWES.bat" "
        16⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FDOMKOCGBQVOEEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFO\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFO\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDWWLU.bat" "
        17⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBYEWVRSFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQAYMMNIGNJMTDO\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\RQAYMMNIGNJMTDO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RQAYMMNIGNJMTDO\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEYNJR.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCCOUKIMHPDFXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "
        19⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DXCPFTPMRERTOHL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
        20⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MMGPYWHDOHIYRUW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVREBQ.bat" "
        21⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCPFTPNSERTOHLM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBGOXNSKSGRHD\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\WOIBGOXNSKSGRHD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WOIBGOXNSKSGRHD\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJRALQ.bat" "
        22⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XDEBKCHWVJKFEGW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWMGELUKQIYQEOE\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\TWMGELUKQIYQEOE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TWMGELUKQIYQEOE\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDVVRR.bat" "
        23⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YMNIGJMTCOTDPBY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRSXEF.bat" "
        24⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JIVCLVTDYKDXEVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLOQVB.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FTAJXSQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXNIRI.bat" "
        26⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNTYKIMHPDEXVEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LDTCKUQLFAFUVSB\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\LDTCKUQLFAFUVSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LDTCKUQLFAFUVSB\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEDHYU.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BEPQMKMCQXGRWHT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCJN\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCJN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCJN\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMJJURPTOWKMELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRRCVV.bat" "
        29⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNSOCPAXDVUQREK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKCFTL.bat" "
        30⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FBPVNEDFAHVDRQC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORVTVHLREBQYP\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\FSORVTVHLREBQYP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FSORVTVHLREBQYP\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHBUXBSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXNIRI.bat" "
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYKIMHODEWUDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe" /f
        33⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXMIRI.bat" "
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYKHLGODEWUDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAFUVSB\service.exe" /f
        34⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAFUVSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAFUVSB\service.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIBCQM.bat" "
        34⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UYVJVGFJWYAKQXX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMUGNS.bat" "
        35⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEVNJEUNOYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
        36⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe" /f
        37⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe"
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIJGPB.bat" "
        37⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RSNMHQXIEPIJSVX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe" /f
        38⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
        38⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBLYUSCXJDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNGMTEFSYPXMWMI\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\UNGMTEFSYPXMWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UNGMTEFSYPXMWMI\service.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTYKIM.bat" "
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TKUQLUFVAFUVSCN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe" /f
        40⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWALYJ.bat" "
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EBFAIUVQORGUCLC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe" /f
        41⤵
        Adds Run key to start application
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBIWDR.bat" "
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDOLKOCFBPVOEEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe" /f
        42⤵
        Adds Run key to start application
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBPYKK.bat" "
        42⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXTHTFDHVWJOVWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe" /f
        43⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        45⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe:*:Enabled:Windows Messanger" /f
        44⤵
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe:*:Enabled:Windows Messanger" /f
        45⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        44⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        45⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        45⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempBIWDR.bat

Filesize
163B

MD5
07bdcc8f46797f3abf73a8a329437fc1

SHA1
ca4c65dd543c0f6c8e5c96a5582949865e01d368

SHA256
d9a2385369660d031efcddbc26c701e0681299544687b01ad8989c1e427b273f

SHA512
96fbf3d9762704250b922fa3b942cba41a8404c117060d66b726317428841f16088d018c3d3b4386dc2ba5a56df59114ba3369daadd7bbec82ef5397d85a6a04

Download Submit
C:\Users\Admin\AppData\Local\TempBIWES.bat

Filesize
163B

MD5
c3cb7f1813d89353e231e79f92d28217

SHA1
549a1df51382291dba06a5d15bbce74944e28d34

SHA256
157cd801937715c585963d1ed830ed319d4bc40e0bfe1401759e32e125090a1e

SHA512
9b86dd90744cb2f090d18eaa671a1ec095876ab54891ea0e2b1882940db97c3f10192d80791577d532a9194ef6a1399ed114a72554424a4b9b697315e74c2172

Download Submit
C:\Users\Admin\AppData\Local\TempBPYKK.bat

Filesize
163B

MD5
a10f7849903f762fe4fa5132e5c47f3d

SHA1
27d9b61d92991d2ca2c120be1b4a6f071f8a240e

SHA256
03b747a65a1f1813551874b2f4e6133dbac1efd8bba28abbbe874d38199286ed

SHA512
4d922b5fe3e2e3a385bd7cc7e9b21ac489e9eaf1e9fac1b3675804cca68bfc6f9ca37a7f7726d19956d0337abdd44de758e338356d07fd4bcdd27e8ca23a92cf

Download Submit
C:\Users\Admin\AppData\Local\TempBYTRA.bat

Filesize
163B

MD5
1f522a34e521ecf493cd33dc88a7ddf4

SHA1
1912444f0ca1c93cac113968865a0d024885e43f

SHA256
30aca1ecaaf49eba1ee544bc6bd053ec1c8eae11e357211ed56236f7f83168db

SHA512
5ac0dc85d2fb706f4c22fc27ac4d3473324bae46a5863867b52af88eb3e6b6e86955e984a1b3bb3d022ae4fe180683ce11fec10a874b175600af722ddf5f55ce

Download Submit
C:\Users\Admin\AppData\Local\TempDGHRM.bat

Filesize
163B

MD5
54ff3e9db459836675750cd1b5d8464d

SHA1
c0ad00506cb544769c75515770bd5bb68f5fb263

SHA256
a640bb75a934b7e7ab25581c932e3ca853092716e2f1e9628950e14c3ed882d3

SHA512
0abd493cc754dcd4b815fbcb156d8deeddea73f7101cd2aa93c0b40f50ce7a65d1e5e9c63df4fd2344558fb620e78c41c92eeb04b4c7d023c7288084cfe0948b

Download Submit
C:\Users\Admin\AppData\Local\TempDVVRR.bat

Filesize
163B

MD5
397fb26b5b923e95769bf079f2d81504

SHA1
9ad077c09176da51efc51d877673694644f1e5a8

SHA256
623fbf528184adefe8ac2d91a266effda1c3a9d894d9c30cf24b5da90f32c0b0

SHA512
c3fa1892ebd757cdea5dd737c9f7008cbbd5d56e64f6f7b9f76ac86f181bf88d2589fda5fc1cf39c81101707114e2cd9c53e6cbd7c1e2e8096a7d5a7a192afa3

Download Submit
C:\Users\Admin\AppData\Local\TempDWWLU.bat

Filesize
163B

MD5
5173f087c79d96c19c0b3c179d070d52

SHA1
c75236909f9401a0b974abe7ba97af86ea5b68f6

SHA256
5e40da6ed8954741e011fc6bbeb8c1ede726e596f915abcd773375198ccaae5e

SHA512
c996d44fbc155a9c4033ef0f8981c63b838ebbd9123a3a958b5e4053b65e8c9e3842be0356e179be2b1608533477c0c2931d8803bda82244213f1c23ead085f1

Download Submit
C:\Users\Admin\AppData\Local\TempEDHYU.bat

Filesize
163B

MD5
eb6b81f78f24c389d5ab5fbd8654cba1

SHA1
9696d0b43bed3f13cb76d6699e47ea0143068c24

SHA256
3f11603292f26b702872843d47aaac8fe90dd62c8c5ef9f538b9662aba965b12

SHA512
90ffce227ff04f5bcc9500d4ea92f30817120f083ccef586384d83222d82ed5d999209da676875c34d0e480e5fd252edb9dfe2ef89994fb0f41a5670b02956bc

Download Submit
C:\Users\Admin\AppData\Local\TempEYNJR.bat

Filesize
163B

MD5
392b0ea376b23d5132653625d537b78b

SHA1
5f095f14c20d11d634170d133bfb9ad715380900

SHA256
b29f6b60e6e6bc1e204bd92a62b2ca1da8aff01928f33170192d708838e7d555

SHA512
320d309745c25686a6e13fc0b263b4fd2cb0a2aab4fd0fdefeefcddb16b0dd9703cbc4797a548a4fabaf8588121d420f75bbf64ad1f1bb3384a4e0f93893ecb7

Download Submit
C:\Users\Admin\AppData\Local\TempHIFOA.bat

Filesize
163B

MD5
753ef735ba50582754cbaf549b0bcefa

SHA1
e9e4c4969336f7b7d3d9d53ec290514bc0854f5f

SHA256
ff72216d92f3692e3936bb52cec51003ab9dae489b20a1c3dc7ee383555cc183

SHA512
c126cb6f9c1de885fb60c89b5b72e9eb00d333ec9156b50faae3187d3ac9a7bcebd3044120d7e19bb145694351d3fc076bdb3e38e3902912067d3a003846ca68

Download Submit
C:\Users\Admin\AppData\Local\TempIBCQM.bat

Filesize
163B

MD5
4ee0ac9fd9906f6947aa07400a0c6eb0

SHA1
889019ae0da9a4ec8a4c26f350266d5fe66d87d8

SHA256
f984d52f2337b3ac2be55c808a5f8745e0b284db69e3c083240622ae1066908d

SHA512
cd0e092b24c306e789073cc14985587631ef1864128c403751515356f2e4ccf2a246aa7f0b119e77f93bf9b9637755b661dbf82815c41595e8256dd7f0c8594f

Download Submit
C:\Users\Admin\AppData\Local\TempIJGPB.bat

Filesize
163B

MD5
20f667663be8a264284a505b486b89ab

SHA1
1043ebfeaa78e28327cfe4fab1aa70140f872732

SHA256
664c0f6e19734507e337e85c6a5ebfd85684cc5a1f36ca0a9f1b4208cfb6ab5e

SHA512
d33e7a0e972f44bc8fc32a9cdc6e0798d15aa9e200d968912c66dbc3ef043d6197ef2919bded75006b2145089ed084e3915ec5483e6a949404333f03a2afd04d

Download Submit
C:\Users\Admin\AppData\Local\TempJRALQ.bat

Filesize
163B

MD5
0a835ab2744823f46121cd6c7241e4dd

SHA1
6dab360573f69b8a3b3a9b0f117b43b8d0235073

SHA256
e2adfe74df087eed89938fa3a64311522fa229ecc4d77f13df85df0fa34f3e80

SHA512
f14f5d0ea7df81efa7c2bf38de756016bda42875b9666fc22e072d7a83bc17f99fdbe3c126b7c3555de64cdca72d4536990c77b3fc45a72c09c188ea420c700b

Download Submit
C:\Users\Admin\AppData\Local\TempKCFTL.bat

Filesize
163B

MD5
f2ec31a6c8b854ed236bb456a2c0e670

SHA1
f8832e834947a4f47aa38810a7735c0ba19674c8

SHA256
b5978db5d58b32dec9e3c76c8c94c08262e705b1ec984efc2bd6b8f41b769aee

SHA512
560c6dc5ecbbbda5c9a69923ede34845af9f02079478d74d90b55daca44a292f9b7ddfa3b79858c087d53b20ec407d765825074e030b27dee1761d048e6ec371

Download Submit
C:\Users\Admin\AppData\Local\TempLNWSF.bat

Filesize
163B

MD5
0b96c7730be3ebd96428e696a67c665a

SHA1
caca8cbf0fcdd38c32284f7ebbce57c98948a1d4

SHA256
ed8b155d48f231a2843ff2a74996d5e5366e27083941fe642124286472812125

SHA512
b3b99e6ab9c9123869b7edcfe3dc8ff830111ca79f4d9e1a52454c78c1b158f3f9a76f180c7a0b8b8112db8bc1e58b4ba6d335cc9fbcf1977ba7b6d6e5622f03

Download Submit
C:\Users\Admin\AppData\Local\TempLOQVB.bat

Filesize
163B

MD5
9f8c7a34e37d802e5098e5cadb55e343

SHA1
a9637e79bf137414f4412459cbb22cb68e2fb2d6

SHA256
6add4885e65a87736219500b3f9df5501b43d5016a7c3a305a2c26bfb8d4cc44

SHA512
e2fefb40fcf18224845d2a554a79b52733be22374971d99a7fe3d799e3c113b8b0e348543a6cbdfc5849e2d8e61b3dc2c258c923843d9515857d6d0364d4d78c

Download Submit
C:\Users\Admin\AppData\Local\TempMUGNS.bat

Filesize
163B

MD5
72dc972d83ef1ca0ee1c4cf8c35372f6

SHA1
a13fcbfd4cc8880e2f7b6e14002855c44efe5693

SHA256
b4f3b35464149051a09f9eed016f4b569df525dadc6bea464446c786620f3ee8

SHA512
c43905716505ddf70f7f468b9cf93288dcac02355cb8d4fa9cf4ee44203a2bc9cfc514190f2ea0ea2adfb88047e2bdef1b3e1f97dc70542e9de6a0b487c8567e

Download Submit
C:\Users\Admin\AppData\Local\TempMVREB.bat

Filesize
163B

MD5
0e84f3bcd40232c8eb14e54587f94776

SHA1
e7648e0fc12856e52efec01dedf8cb4eba0c9953

SHA256
ea568b80a63a5b79adc0dc2fee080588c2e7f9747730bc2a2f019671618ce98e

SHA512
7da9c91d583165b2af80ca23f0f398d5a56e10c2a4d07729c36c2a68b260c26e65b4722093bd03a59cb643348b63572aa12827b92e832e1abe290e60f67a6f58

Download Submit
C:\Users\Admin\AppData\Local\TempNWSAF.bat

Filesize
163B

MD5
afeb668f213817d4b1a9be76781efc92

SHA1
ee411b15b31e74668760c6336509caf7c1ea4014

SHA256
67e6ee9618639ad12271873b3ca1a28f253cc564a8824b20ccaa02d987ca7e12

SHA512
84a77b223af978e42dfd83be7a7707a174f3547843128ab0a384c73dac443ea15fa2844c39b4c220c6c1baf45962557095b711a90b16d3426a0af14442ddfa04

Download Submit
C:\Users\Admin\AppData\Local\TempNYVBT.bat

Filesize
163B

MD5
1ee6659eb6ab40ad05f12643ceb507f6

SHA1
3fbc9a354e18753a1fb3a6992e395dab063477b5

SHA256
3da141dc70fc378a1cc8edd6dc6561681c8d981f388a2b24e5726afce872435d

SHA512
21f1c9b85ba33cd51fb562499f871496b826d6be9ea0e98b08d8681306ea247f7fbb06045f9d3eccbf059449390da7331e5a58760146821a7028164e3f89af6a

Download Submit
C:\Users\Admin\AppData\Local\TempOPYUB.bat

Filesize
163B

MD5
8fc9a31c18b8032918ec1342d604794e

SHA1
3f2f11eefe4d9e3b0637e944ef17620d743640de

SHA256
43093309724d83d4f7d524089181d347737bc1034a28ffc054509158d3e3dae3

SHA512
d270fc6f49aa5ee9c82111a6ac79df1da26691a1a37ec7fdd54b246fc94bf7bd41445d80ab062cb4794df4df918bc1dd24ce853bdc7b1bf867a21741b773bb18

Download Submit
C:\Users\Admin\AppData\Local\TempPXODM.bat

Filesize
163B

MD5
f6bd5be39db4db89d196c2f9944a9580

SHA1
53b95e1a9c1e36709908f54d100d4d2bc62485c7

SHA256
7e918de8b52fdcc6b56b559131fc2da3dcae25a6ffa5d4e74fe14cc1c7f43c6f

SHA512
d9da08629c1f24b101a711d8fba4126a81fbad72a376a3671f2c4c28a57a0633954c8917f6f2b0ae1c4dcf59bbfc4395d1bbb9494861f63720027af32c8a1463

Download Submit
C:\Users\Admin\AppData\Local\TempQRWDE.bat

Filesize
163B

MD5
19d5b04cd297fe8e47094f807b3a34c4

SHA1
db8516d521a80970a6586deff2343b8601b9df84

SHA256
7f597777f439222595b2ad9466e89a4b74aac8a717f0b6855c6804b7e3ef199a

SHA512
eb2dedfc4b5588ebd5063e8c3408abcf3315b6f8b805445359642324bdb8787a8ef48ac9c720df01be8171e1aa06c59eb9646dd39e01302b011eedea207f0636

Download Submit
C:\Users\Admin\AppData\Local\TempQRWDE.bat

Filesize
163B

MD5
57bb81dfd4644c9a2d4e1fb376ffa8ef

SHA1
0b54f35fceafcdbd9d4c1624f98b9f4ca634d25b

SHA256
1337f1de2af163d9ac122016567b8e35afd96e40fc6986258a77679c67d6c59e

SHA512
ba267a09fca3d5f45b889bc8b494be5b958deaadbe55c4d50086efcddcaaad2db77a886b9bee0a8af67e3b4e52948dad98a80962c9e36436fea79553b2ad11e6

Download Submit
C:\Users\Admin\AppData\Local\TempRRCVV.bat

Filesize
163B

MD5
6fd117f208423d249769655802c3be2a

SHA1
3ee3d49980f8c042989a99b98355f141a34f194a

SHA256
1c2ba2205211bd08851020aa7e4e858f766c23cd1f7a9edfc88aac533f454f7b

SHA512
9e2eddfb57523bd138b73dd4f3a59912f0727be0e5fb6141f7532c94478083aba7f102e5d4afbc6a098b7c6bf6ff1006a4d69a875287c985cae87c54e5b4235c

Download Submit
C:\Users\Admin\AppData\Local\TempRSXEF.bat

Filesize
163B

MD5
50bbbf5524dacfec25beee4cda0c1c29

SHA1
3fd6c1b8bb90c1d0861ff798675c5fb2101c58f5

SHA256
fd428a7373e0e2051e9fcf95cfb26406832ce301cb8c8d2fe4d9185ada88c583

SHA512
2129a0f899999954ad9b157ec67b75f98fceebcf3fa07ee210ea1bd40607abbda29cca1590053ad2791e45e3233e37beac2eb9eee77b9fe0c277a08ca1bd7b7d

Download Submit
C:\Users\Admin\AppData\Local\TempSQUPX.bat

Filesize
163B

MD5
dd787b7a40270bd2ff8f584a859b220f

SHA1
58aa72c78d4b9f53edcc8f2b66a645ebeedb17d2

SHA256
eb8bf9e0587fd9877e5ff7cfb523532d1ff8bc30264ed0b207ce15727e1e58dc

SHA512
4df20186e4541ffb3ab268b7166263a076dca627238c06bec758c4808091a21aff76eb60e9b002a49dc93c21157cbce617ac73ee1c02ce845e43f1046908c0ea

Download Submit
C:\Users\Admin\AppData\Local\TempTYKIM.bat

Filesize
163B

MD5
ba74f4182da1d1ba4ae163ef0817fa65

SHA1
88458d5f36f902c46660d0e982d88e8afcac7818

SHA256
d94d3313747759ec713e3691abad570ffd61e4ce7b55d318c04839ccdcc2efb7

SHA512
9b2960fc65868896ff05d010a0b38dc2a7f42f150cbc7353a4f2e0d433a7b9160bf8a850e00d7a49bd3865d5e2506102bbdf7ec537e32999adfa04ec897b0f27

Download Submit
C:\Users\Admin\AppData\Local\TempUFEIV.bat

Filesize
163B

MD5
ee908cd169c8b889c6fa3c54e1ef5a42

SHA1
28f21026dd3ea5c0aa59693e473c847c15b65bf4

SHA256
244ce23892bf945d0937430788a881aba8dd5460f9de7ae1c8ca9f1809831d76

SHA512
b5909c390d676fca1489c257c822da3a0ace8f2006c62d4c04b25656d24a05a7a2af6fafa11898bbd10f2cdedc9df944984940c7b283a1124c8e52e616b7bc0e

Download Submit
C:\Users\Admin\AppData\Local\TempUGMRD.bat

Filesize
163B

MD5
ac925826b0b8f1ddb98b1da4ff70ef3b

SHA1
0d1b92e0cc4b6bd2b0f2724e1881ee403ec45d3d

SHA256
2b80898fa01a26ad6a62c25ae716d0c70df6a85fa80ae949f22bc8337ab28eb8

SHA512
d3e9066723291bedc356a2d5b12f4cacf7317826ed248ecb5d1d737907b05c5932475565d3eb760f6da546c88042813023ba4a5d8b214985ea42714aa590244b

Download Submit
C:\Users\Admin\AppData\Local\TempUQYPE.bat

Filesize
163B

MD5
e5f6bb61139965cb6eb667a51c1c94dc

SHA1
28029916e0b2629120efac44758bac285fe4288f

SHA256
de653e425d22be0931c13a52d954bc15f722f65167d1e43906f7e363bb1e0e5e

SHA512
b83b86d6fa5b8d1491834b09c9e811c38ed253423e275b069b7fc502d070bf72eb249ee8581d109096f9ba94539323f0ad669ef122c013b8b8cd0e35bed57952

Download Submit
C:\Users\Admin\AppData\Local\TempVLJNI.bat

Filesize
163B

MD5
5157ee60b58bd389f3fac057958ed9fe

SHA1
9faefda7955fc40747579c53208f5e167f3f606d

SHA256
16865a6cccf2d8d1734f12d590c6af3bbfa8777a176ce67b7fcf51929da2156c

SHA512
b810b2024e4db16e0ff6b392935a88f7798aeb4dbd8a26a68f241953f01fa09482999b31b8c133c402523aacfdcabb17426c98b0f6a14f4c15e2392f4a2f96f2

Download Submit
C:\Users\Admin\AppData\Local\TempVREBQ.bat

Filesize
163B

MD5
a31d93f724a306eb39e7e6123b6da58d

SHA1
fa96fc558ee7e11f1c73d09033f9fe9f79a32cb6

SHA256
bbfdf4457b0cd96b13346de9d334bf7c2a098a86f5ddef8637a780c2af6973fa

SHA512
eb94103c8825e4cac43a112737391eb4a4cca74637989523e458b2f82c0d1c453e85705361360b6db085da288bd9f9e3ac2104d306ee3519fdde247fa95e03c7

Download Submit
C:\Users\Admin\AppData\Local\TempWALYJ.bat

Filesize
163B

MD5
eb2ea627f21ace553a67e97ce09cab97

SHA1
60f02c527ae3a018931610f9e59ca66efbbdf9b9

SHA256
5768f8f93b792be1be2bf03009cf2960d2ec9eca16d547add7a94b061a79661a

SHA512
cb69c766291dad88b4e668adf8c4153407beff55ea9e19f1df918d6aa29d19354fb1b6faa821b2fab01b4b97bb57d8080734217b56b3c1e245c37a6a3316c418

Download Submit
C:\Users\Admin\AppData\Local\TempWUDOU.bat

Filesize
163B

MD5
a0166ed9bf906d3a5040d33b6346102e

SHA1
65ec4325865e0afa1f2d2089c34e6f778c774ad3

SHA256
5dfd46eb877ff788a4cfd4923d330d5ccff82f900e8a8a659a02a3afe303f62d

SHA512
31363264d58f0a1d369ba1beec6c90f424627149fdba761e2865f6e2f5417a2b2d42f266f52e6bc9ab088cc7da88b07dba388abfd2a341b7c1d24f3ff036d124

Download Submit
C:\Users\Admin\AppData\Local\TempWVSST.bat

Filesize
163B

MD5
86550c4045ded27f9bfcc444dbc3fe24

SHA1
01b7dcdc9ee8c7ff89d01066db04249a81eeff91

SHA256
36dadacba29ee174b5948d034f9c17ab59afaeb3e6b696f7633f2e4c717a3d78

SHA512
90794a8e5f439b0771d24a3e84800e5340d42e184fa232b0395e809a9ef6953a68e8347c49a8074ce31014100319eb7a6fe80d9557e169f75bd8b60795bd1dad

Download Submit
C:\Users\Admin\AppData\Local\TempXMIRI.bat

Filesize
163B

MD5
657bc89bb7aec6bc45f5f41853d03c52

SHA1
89418389c3d139b416e3ed16ffd21baefad0a9e3

SHA256
bea1df0bd225594ad7227af96c227e8dc2d0fd52e21a20c06ce14038f54e37c4

SHA512
98096a889e188538fda9abe1dec1c32566c14a342954a2194c43596ea0e6690b48ae08798540a459b72ed8356340e6855ea84f29286d231d2a8d9ec7f2a134bd

Download Submit
C:\Users\Admin\AppData\Local\TempXNIRI.bat

Filesize
163B

MD5
0b49f0968469d582ac44f2dc73dc3f60

SHA1
572b6128095b21b80511a93b027222c87d3663db

SHA256
6352c9574dadb816314e9b140f29b376fb0119ae4ee41c5f3afc8cc0a30f47f9

SHA512
570727278ea995a832a4be77a84939f3b4d5a4f22d4e2150862931d0cf3b2a1f6731ef9a795d429af37a34d1127f9b00014be441c18fad92fe7eda74c643f0f2

Download Submit
C:\Users\Admin\AppData\Local\TempXNIRI.bat

Filesize
163B

MD5
493091b723f1019cd21d7ce77b87803c

SHA1
461c027f7380e8016c9b5171d1c4902d3701caa6

SHA256
469cb83f54c0fa8390f132a90b71b4489ab9b004fb3ce7677f3b381c44c22a8c

SHA512
418bf2ef52d92ca29f7c010ea6f5993a93a4f9fdbe5d2d7b39440584ec890f9152e231502061e58a3515284afc7b465717acc678f67f6dfc13f1f60df2aaa5f3

Download Submit
C:\Users\Admin\AppData\Local\TempYOPMU.bat

Filesize
163B

MD5
7342d916d2cdb90827921542ad2d439d

SHA1
3ba89c279ca1bfe44e50fa671afe30bdabb387df

SHA256
9207fccad3859ef50dc47ca7c8df794aedc2b813ce7f5caff2cb0ed1e660bcac

SHA512
558a15267c875d7423dc918f1f55be01c3685d988e18c913533bfe6d77d7be3ad98bc889d52463b48d0175924d1a2511cd8bd3bd455e1212823775dd9bf32d3c

Download Submit
C:\Users\Admin\AppData\Local\TempYWFFY.bat

Filesize
163B

MD5
8923c20ab103a0aa31e99e157fdf5801

SHA1
f0d70afda9f6a52014c3d343cdbdd9e8ea09db59

SHA256
80b9d4915d06e2d030288a5f7f5d95a284d656cd2513673a78f0f505b6f746ce

SHA512
782f5447a00e82c1bd00030f7f0e8d419ce436311f82ec108e44afd98ab8d2f4cca125b6c873ba95c90b0a452b8a1feb3c8f5ce21f3b39b6fa5524e0834e9280

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIYVVD\service.exe

Filesize
520KB

MD5
d8b440c5c73db413c7b4d6a9f4d31e32

SHA1
b56313467277467da116ce866c99619721949b9c

SHA256
c45d17274a39895a1228be0d9fcd2d967052afdab8fd3a724bfd58a048e72463

SHA512
7a5c4ac2ae83a060bfad1bb910481cabb80050719c7be602e02073cf61cfefa0512623275d19eb4ce995aff16d78372e83fce9f9935506cafc6ff481d4a3573c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUBBHAE\service.exe

Filesize
520KB

MD5
c58e5ddca1fd997ac098b3f3e02ef405

SHA1
5dca8161631fd2748e11a328643545820b10999b

SHA256
9f69c0ed25994d01ea0e8d182251bc2f9a485a3f3133aba97d8c0aadf21837d6

SHA512
70228bd50edb28061dc40d113e6b13ea2c83ece4a7d4f2126aedbd6ec30ccce820c4b2906cd0b1beb6ee8823f6c6816da000f142f6dba21c3b5e5c95b10f2284

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGCWRFMH\service.exe

Filesize
520KB

MD5
1e78f9e901ef093ac8e23e7e2cfdae9c

SHA1
2fc4dee88b7b670b16a05601f2bcffcc7b7cc60d

SHA256
27deb2b53c5ddd3dcf23cc21b6e68081076fe5b5c9e71d5efd65e38d77dbd726

SHA512
fa1c108495b6837525cc8b26b4f4738eaa563ff743f43e995a6e5130ebd74c1b9f1afb72fe17b78e4d9d41ca3fcee5451474b1f8affaca6200966268cc6c2807

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUKDCJSIOFWNCMC\service.exe

Filesize
520KB

MD5
abab32c060d20b38d86809ca7903c82d

SHA1
8dcaba6d689982435fc88dfeb3efac48433627ed

SHA256
a50c2b948bd196e7caae7d26b4825fa0037c12828a0447bdf07c760271efcae0

SHA512
16f8d0a21300c447eb22a266aaed78def35fa068cadfc6645e8f741bc6debb10bb53bc1dc7d29b183235094c346c1d945d5f85cd5019d1e235aab3e9f046da05

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe

Filesize
520KB

MD5
1e0a538b8315f45df0ebbc60aa5419a8

SHA1
4976412be5dde3d4f15fdc43bf34c5e7b4f54f28

SHA256
569d84038bc10af81c79f1654c0d77cb2997a4d2523b4f72fc321ba7c51f65f1

SHA512
f60c983d68435f4231726f700d47122ddb7910f6aa7a14d955cf66868ec64058b77175b903bc189b68206735b7dc713d59542fe2f63b1113fb12c57c3fa751ef

Download Submit
\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJRDKO\service.exe

Filesize
520KB

MD5
57838185a60e3c1a178d3c6fe33ddf91

SHA1
5a3cfa99697473a13f05a339f888310c33d1d6b4

SHA256
15c98453a01e23681417a41d659dc8e39fa27c77facad371003bd28b073fdba4

SHA512
5c15f6dd93ee0ea61118f2fe2e83980406bf06a1eb65bd09b8ac5416131feb3e2af101eff957b69b709fb2778cf7d78d8ff9d2cf8d2ea101fd488cb08db63ce3

Download Submit
\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe

Filesize
520KB

MD5
48453215d1804b76a6318df84c186517

SHA1
3265d70e881dea0918e40cc6bf7ca4d9c6098a78

SHA256
8c06ff473a167704499a2bc02316851fc8e5bd04562fc5c149cb21849d7b4e60

SHA512
31c6f89772c9c637284bdb9c51a6904c8aa8e607bf424248f489ecc9033dd09afc1f241c6e2b3abd5873870fa07eee763af23a28e66cce16b44791e3bf60459f

Download Submit
\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe

Filesize
520KB

MD5
c13c6c1e724bfa6be52483955b88bba2

SHA1
10d200cd0a7bb8f0dd06bf26e088ae6c6147b740

SHA256
37aaead80fd3d23f82efc2a6778280ac03b2f1ee2afb4c0b9503d9d1106adf49

SHA512
478529ffea7ed7e21a59a39a0a2cf019b49a06c30d8abb6f3323e9f1e5ee8412e3f65da90af4589fddd3f1d6ba4c0f08fa59e56ddea24ec15cf59b27dd39c05e

Download Submit
\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe

Filesize
520KB

MD5
1d458fafdfb657785988bcf33d3ba819

SHA1
8283c4f44b797a6f43f622e7d2afaff00ff1fb78

SHA256
ffbf53ada25dc4ffa060526c9d4a98196721ded4cd4860d99c00febc2e27cb50

SHA512
f8118ebfaac40d7912091cf391033db5f18ba403a8fdbcb92afd138378c2e4e6fde705d1932d827ac75bec647ae5345e0266b4e601ecdf432e786622951162fe

Download Submit
\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe

Filesize
520KB

MD5
d0045a1f8cc1e58396cb8ad7ea536d03

SHA1
ad43ff9881380c492436cfe24dedec1dab3abc5f

SHA256
b89fc269e07a1ab00add43564679cd6394791dd7acbf4ef1aeae1c57ce1bdce5

SHA512
303d86c0e210fb966635a47c70db2eed048f468292d2cda80a204f9f93243fbf479f515b74cde2a258ef218ce380ff74d141cfdbd4fcd5fc1268ea3c9504a6b5

Download Submit
\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe

Filesize
520KB

MD5
968a6f261197c9f7135b6653217fd436

SHA1
4177506bd986b3f710569e8d583f101bbe8a9334

SHA256
cbb46dc1efc25af9eb51bc481e1886fbf92963f0d9a9ad9c561176bbcbe9b49e

SHA512
a6d33988be43735207f7b4ff5281e9f686ee3cb8bb7661578bf0518add9b73c44c3e78249e9079ee7d7e794c8562914c04e2301177b808ba4604016b050756f6

Download Submit
\Users\Admin\AppData\Local\Temp\XPJCHOXAAOTLTHR\service.exe

Filesize
520KB

MD5
ddbf10dc17ea53191b7e08e66b417c6b

SHA1
f234b7fd0e2a93503702024e1e81bba1268f3520

SHA256
6633f8ce1e985211d257ec48c2a29bf80e661b8ed383236f286f3d424857fabc

SHA512
92c788b0d285e3b8c5f6d01f19ff18af4da61cabe3569b92af7e1031cb86152cfbe7f61c59963dc873fba435cb74043dbe136f21f045f1900d9b9c9425bd205c

Download Submit
\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe

Filesize
520KB

MD5
7b0f238c6049c9fac020bba1fe8b8cfe

SHA1
4610de4437c345559a989994365de80f8f3a32b8

SHA256
0762c7277e93700182a9593fe3faeeb647e1834b082c660abf4ae352080760f7

SHA512
071d77b4152f103eb943fe0269218690b28ac586d5857f2b4282d2540db6bec578cbb2c9b75cfbc8152603c0114cb797659c4e162b069dfaa2df1ba0c478b3e4

Download Submit
memory/2864-1050-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2864-1055-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2864-1056-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2864-1058-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2864-1059-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2864-1060-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2864-1062-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2864-1063-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads