blackshades | 6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe
Size

520KB
MD5

9736885aaded8b7387156d4b4888dc8b
SHA1

d29145c7448a7666b7bc4d3688218e08c8879e87
SHA256

6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003
SHA512

9aed30dd057d0be3387787dc32a2dc884ffaebc3233385893f441e751dfd594c02036977def09cf92a25894ca66653de01c042081e6fe950b3ec12da217bec3a
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioX6:zW6ncoyqOp6IsTl/mX6

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 9 IoCs

resource	yara_rule
behavioral2/memory/4328-979-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4328-980-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4328-985-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4328-986-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4328-988-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4328-989-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4328-990-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4328-992-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4328-993-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDIARIHS\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Checks computer location settings 2 TTPs 38 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 39 IoCs

pid	Process
2476	service.exe
2976	service.exe
3092	service.exe
3556	service.exe
3644	service.exe
1884	service.exe
4252	service.exe
3044	service.exe
2836	service.exe
2896	service.exe
4948	service.exe
4560	service.exe
812	service.exe
2352	service.exe
1504	service.exe
3696	service.exe
4524	service.exe
2804	service.exe
2464	service.exe
924	service.exe
1864	service.exe
4004	service.exe
5012	service.exe
4372	service.exe
1296	service.exe
2024	service.exe
3916	service.exe
728	service.exe
2480	service.exe
4496	service.exe
4248	service.exe
4340	service.exe
2296	service.exe
1420	service.exe
436	service.exe
1852	service.exe
3860	service.exe
2540	service.exe
4328	service.exe

Adds Run key to start application 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LIITQOSNVJLDKKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEGBGBWRFMG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GRHDYCPFTPNSERT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IKWWAXSRXTJWENE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJCWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGLTEESXPXLWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLYFOYVGCNGHXQU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKPWIICWADTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUGHENFKYAYMNIG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGGHCAHDYTGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QQCKBTLHCSLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWPUNDNHFIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PBJASKGBRKLUYKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEVNJEYOPMUHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QREJQRCVVKTFESV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVUWIMRECQYQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PLMXUASWRNOBGNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIIJECJFVIPK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UGDIDKWAXSQATIW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPGYPMHBBQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BYMYKIMAEOTMCCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVVWRPWSHVDLDX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NBEPRMKMCQXGSWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIARJFATYKLIQCJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DSTQLRWIFJEMBYC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKECJTJOGXOCND\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AUVJWHGKXYBLRYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWHTSTPNUPFSAJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXYBLRYYJABDRNM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HAPHQNICCRSPYKQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WCUYTPQDJQQBUUJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HAPHYQMHCBRSPYK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HMALTLAURMVGWBG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTHHIDBIEUHOJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SOCPAXDVUQREJQR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKBLEYCFVRSA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MUJTJFESIVRPUHA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIXHPDDEYEAVPDK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLMIGIYMTCNSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBPUFGEMFJYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VJMIGXVLLNIBEFP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPGYQMHBBQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LAVRMVHWBGVWUDO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPKXNXRPSDINAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KGDUSIIKFBDMIWV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUTVHLQDBPXP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YCNLJNBEAPUNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWWAXSQXTIWEME\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JTPKTFUETUSBMTX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NIXVLVPNQBGLYKS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VVIKFDGVJQLPAMY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXNRWDEBJCG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GRYOMQLTHIBIIRM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDIARIHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YEWVRSFLSSDWWLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGYPMGBAQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LYFPYWGDNHIYRUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AKXTBWYMQVCDAJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UYVJVGFJWYAKQXX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSRTOMTOESAI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HVCLUSDXKDXEUNQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOGMTFFSYQYMWNI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NOKIKANVEPUFRCB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRWHIFOAGLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TPDQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCVTCVLYBGPGF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWLKLHFLHXKSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UTXLBOKIYXNANPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYDVTCWLBHPGFQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YXKSJTPKTEUETUR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LDTDKUAQLGAFVWT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJCWDUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSXPXLWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDYUPCYJEJYWFRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQTSUGKPDAOXO\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2540 set thread context of 4328	2540	service.exe	255

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
940	reg.exe
2376	reg.exe
2676	reg.exe
4336	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	4328	service.exe
Token: SeCreateTokenPrivilege	4328	service.exe
Token: SeAssignPrimaryTokenPrivilege	4328	service.exe
Token: SeLockMemoryPrivilege	4328	service.exe
Token: SeIncreaseQuotaPrivilege	4328	service.exe
Token: SeMachineAccountPrivilege	4328	service.exe
Token: SeTcbPrivilege	4328	service.exe
Token: SeSecurityPrivilege	4328	service.exe
Token: SeTakeOwnershipPrivilege	4328	service.exe
Token: SeLoadDriverPrivilege	4328	service.exe
Token: SeSystemProfilePrivilege	4328	service.exe
Token: SeSystemtimePrivilege	4328	service.exe
Token: SeProfSingleProcessPrivilege	4328	service.exe
Token: SeIncBasePriorityPrivilege	4328	service.exe
Token: SeCreatePagefilePrivilege	4328	service.exe
Token: SeCreatePermanentPrivilege	4328	service.exe
Token: SeBackupPrivilege	4328	service.exe
Token: SeRestorePrivilege	4328	service.exe
Token: SeShutdownPrivilege	4328	service.exe
Token: SeDebugPrivilege	4328	service.exe
Token: SeAuditPrivilege	4328	service.exe
Token: SeSystemEnvironmentPrivilege	4328	service.exe
Token: SeChangeNotifyPrivilege	4328	service.exe
Token: SeRemoteShutdownPrivilege	4328	service.exe
Token: SeUndockPrivilege	4328	service.exe
Token: SeSyncAgentPrivilege	4328	service.exe
Token: SeEnableDelegationPrivilege	4328	service.exe
Token: SeManageVolumePrivilege	4328	service.exe
Token: SeImpersonatePrivilege	4328	service.exe
Token: SeCreateGlobalPrivilege	4328	service.exe
Token: 31	4328	service.exe
Token: 32	4328	service.exe
Token: 33	4328	service.exe
Token: 34	4328	service.exe
Token: 35	4328	service.exe

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
1988	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe
2476	service.exe
2976	service.exe
3092	service.exe
3556	service.exe
3644	service.exe
1884	service.exe
4252	service.exe
3044	service.exe
2836	service.exe
2896	service.exe
4948	service.exe
4560	service.exe
812	service.exe
2352	service.exe
1504	service.exe
3696	service.exe
4524	service.exe
2804	service.exe
2464	service.exe
924	service.exe
1864	service.exe
4004	service.exe
5012	service.exe
4372	service.exe
1296	service.exe
2024	service.exe
3916	service.exe
728	service.exe
2480	service.exe
4496	service.exe
4248	service.exe
4340	service.exe
2296	service.exe
1420	service.exe
436	service.exe
1852	service.exe
3860	service.exe
2540	service.exe
4328	service.exe
4328	service.exe
4328	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 4192	1988	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe	87
PID 1988 wrote to memory of 4192	1988	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe	87
PID 1988 wrote to memory of 4192	1988	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe	87
PID 4192 wrote to memory of 1732	4192	cmd.exe	89
PID 4192 wrote to memory of 1732	4192	cmd.exe	89
PID 4192 wrote to memory of 1732	4192	cmd.exe	89
PID 1988 wrote to memory of 2476	1988	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe	90
PID 1988 wrote to memory of 2476	1988	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe	90
PID 1988 wrote to memory of 2476	1988	6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe	90
PID 2476 wrote to memory of 228	2476	service.exe	91
PID 2476 wrote to memory of 228	2476	service.exe	91
PID 2476 wrote to memory of 228	2476	service.exe	91
PID 228 wrote to memory of 876	228	cmd.exe	93
PID 228 wrote to memory of 876	228	cmd.exe	93
PID 228 wrote to memory of 876	228	cmd.exe	93
PID 2476 wrote to memory of 2976	2476	service.exe	94
PID 2476 wrote to memory of 2976	2476	service.exe	94
PID 2476 wrote to memory of 2976	2476	service.exe	94
PID 2976 wrote to memory of 4940	2976	service.exe	95
PID 2976 wrote to memory of 4940	2976	service.exe	95
PID 2976 wrote to memory of 4940	2976	service.exe	95
PID 4940 wrote to memory of 444	4940	cmd.exe	97
PID 4940 wrote to memory of 444	4940	cmd.exe	97
PID 4940 wrote to memory of 444	4940	cmd.exe	97
PID 2976 wrote to memory of 3092	2976	service.exe	98
PID 2976 wrote to memory of 3092	2976	service.exe	98
PID 2976 wrote to memory of 3092	2976	service.exe	98
PID 3092 wrote to memory of 3252	3092	service.exe	99
PID 3092 wrote to memory of 3252	3092	service.exe	99
PID 3092 wrote to memory of 3252	3092	service.exe	99
PID 3252 wrote to memory of 3360	3252	cmd.exe	101
PID 3252 wrote to memory of 3360	3252	cmd.exe	101
PID 3252 wrote to memory of 3360	3252	cmd.exe	101
PID 3092 wrote to memory of 3556	3092	service.exe	102
PID 3092 wrote to memory of 3556	3092	service.exe	102
PID 3092 wrote to memory of 3556	3092	service.exe	102
PID 3556 wrote to memory of 2348	3556	service.exe	103
PID 3556 wrote to memory of 2348	3556	service.exe	103
PID 3556 wrote to memory of 2348	3556	service.exe	103
PID 2348 wrote to memory of 4740	2348	cmd.exe	105
PID 2348 wrote to memory of 4740	2348	cmd.exe	105
PID 2348 wrote to memory of 4740	2348	cmd.exe	105
PID 3556 wrote to memory of 3644	3556	service.exe	108
PID 3556 wrote to memory of 3644	3556	service.exe	108
PID 3556 wrote to memory of 3644	3556	service.exe	108
PID 3644 wrote to memory of 2324	3644	service.exe	111
PID 3644 wrote to memory of 2324	3644	service.exe	111
PID 3644 wrote to memory of 2324	3644	service.exe	111
PID 2324 wrote to memory of 3388	2324	cmd.exe	113
PID 2324 wrote to memory of 3388	2324	cmd.exe	113
PID 2324 wrote to memory of 3388	2324	cmd.exe	113
PID 3644 wrote to memory of 1884	3644	service.exe	114
PID 3644 wrote to memory of 1884	3644	service.exe	114
PID 3644 wrote to memory of 1884	3644	service.exe	114
PID 1884 wrote to memory of 2584	1884	service.exe	115
PID 1884 wrote to memory of 2584	1884	service.exe	115
PID 1884 wrote to memory of 2584	1884	service.exe	115
PID 2584 wrote to memory of 3172	2584	cmd.exe	117
PID 2584 wrote to memory of 3172	2584	cmd.exe	117
PID 2584 wrote to memory of 3172	2584	cmd.exe	117
PID 1884 wrote to memory of 4252	1884	service.exe	119
PID 1884 wrote to memory of 4252	1884	service.exe	119
PID 1884 wrote to memory of 4252	1884	service.exe	119
PID 4252 wrote to memory of 4008	4252	service.exe	120

C:\Users\Admin\AppData\Local\Temp\6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe
"C:\Users\Admin\AppData\Local\Temp\6aace931c46e91322b3a26e651edb487db700a8ac0e42f7690d8cafb8e335003.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LYFPYWGDNHIYRUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1732
- C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe
  "C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSFERV.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WCUYTPQDJQQBUUJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:876
- - C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe
    "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTEDHY.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NBEPRMKMCQXGSWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIARJFATYKLIQCJ\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:444
  - - C:\Users\Admin\AppData\Local\Temp\AIARJFATYKLIQCJ\service.exe
      "C:\Users\Admin\AppData\Local\Temp\AIARJFATYKLIQCJ\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVLJNI.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3252
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAVRMVHWBGVWUDO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3360
    - - C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFXWST.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOKIKANVEPUFRCB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4740
      - C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHPGBK.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KGDUSIIKFBDMIWV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUSBCV.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DSTQLRWIFJEMBYC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKECJTJOGXOCND\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\SVKECJTJOGXOCND\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVKECJTJOGXOCND\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHVDQ.bat" "
        9⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNLJNBEAPUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVWTCO.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMALTLAURMVGWBG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTHHIDBIEUHOJ\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\UMLTHHIDBIEUHOJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UMLTHHIDBIEUHOJ\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJABDR.bat" "
        11⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUVJWHGKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJHLGO.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JTPKTFUETUSBMTX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIBCQM.bat" "
        13⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UYVJVGFJWYAKQXX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
        14⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QQCKBTLHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHRM.bat" "
        15⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UTXLBOKIYXNANPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBMSXJ.bat" "
        16⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YXKSJTPKTEUETUR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LDTDKUAQLGAFVWT\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\LDTDKUAQLGAFVWT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LDTDKUAQLGAFVWT\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPXODM.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:244
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LIITQOSNVJLDKKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCVVKT.bat" "
        18⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SOCPAXDVUQREJQR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOHLMV.bat" "
        19⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GRHDYCPFTPNSERT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJRDJO.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PBJASKGBRKLUYKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJCWDUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWPIOA.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QREJQRCVVKTFESV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRECQYQ\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRECQYQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRECQYQ\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSXDEB.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HVCLUSDXKDXEUNQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWNI\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWNI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWNI\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBXPV.bat" "
        24⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXYBLRYYJABDRNM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAPHQNICCRSPYKQ\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\HAPHQNICCRSPYKQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HAPHQNICCRSPYKQ\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXSSHQ.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLMXUASWRNOBGNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempENEYC.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGDIDKWAXSQATIW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOMQLS.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWFRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe" /f
        28⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUWBRK.bat" "
        28⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MUJTJFESIVRPUHA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIXHPDDEYEAVPDK\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\PIXHPDDEYEAVPDK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PIXHPDDEYEAVPDK\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHGTAX.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YEWVRSFLSSDWWLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGYPMGBAQROXJP\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\GOGYPMGBAQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOGYPMGBAQROXJP\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSDWWL.bat" "
        30⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:508
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYMYKIMAEOTMCCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
        32⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFLHXKSB\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFLHXKSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFLHXKSB\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
        33⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLMIGIYMTCNSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMQRWD.bat" "
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJCWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLTEESXPXLWMI\service.exe" /f
        35⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\TNGLTEESXPXLWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGLTEESXPXLWMI\service.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVGHFN.bat" "
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYVGCNGHXQU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
        36⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVIKFDGVJQLPAMY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe" /f
        37⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLYYKS.bat" "
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VJMIGXVLLNIBEFP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe" /f
        38⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJMTDO.bat" "
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUGHENFKYAYMNIG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe" /f
        39⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVMBKW.bat" "
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GRYOMQLTHIBIIRM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe" /f
        40⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        42⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe:*:Enabled:Windows Messanger" /f
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe:*:Enabled:Windows Messanger" /f
        42⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        41⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        42⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        41⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        42⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAHVDQ.txt

Filesize
163B

MD5
e5fea69fd378f24cd1e7dc48ceb8289b

SHA1
40726f47bb9fdd955834922939ddf3f5404583b9

SHA256
5399625df7343f1ac173b24c626b96e7ea6eb480c6745331fcdf5b1b14901b09

SHA512
ca258556151b7f69d0a0368418469edae5092593d2a3a5833e380f91e66d8bf688626a12b40d68bbd8bb9e783b64d6126fab2ac614efc3c0bcd5f424a3d29a2b

Download Submit
C:\Users\Admin\AppData\Local\TempBMSXJ.txt

Filesize
163B

MD5
2674dde05c8ae6bf1162ca0e1c594bf7

SHA1
93aad9f07c2ef13db9f0217333a16a790c641a3b

SHA256
f404e2c684d44cce47db38bc0a86c98f4d4e1b1e735a8a6565a8af56baef53d0

SHA512
efa6eaf3e61f642f18976c7413943dfc978ecadf8f57172b1cd13c8439e71f898aed0416c0f27b13d170fdc7d698de6f07ab9321d5feb689f06a1ec62a95dd64

Download Submit
C:\Users\Admin\AppData\Local\TempCVVKT.txt

Filesize
163B

MD5
ef971d9cb444ead4b67657180806d09a

SHA1
dc620d9f0518c9ae32f8add684b296dc5da52638

SHA256
8a753d2424ee100f39444025c249345e163720cc954de4feb7848b08a08f6454

SHA512
29b04890e4b4272a1982cc65e0edf377668004431fc9ca9410c704042a894ded0005b48521531ba17bfb68f14e01e56f37c96ce3a3e7a15a58646d6a67700557

Download Submit
C:\Users\Admin\AppData\Local\TempDGHRM.txt

Filesize
163B

MD5
b5cfa8a625a6d064ebbec290d825428c

SHA1
94273a6f149c574c90ff2d512c950099b64159d8

SHA256
ff6c2977aa462af7d87e6a23afc6c7b68369edc16a8bfdc5ae06fbf54a55655c

SHA512
84ce3ab4403ad0c35d5fdada09b263d7fc2409d87f8f55c0922c74feea1f42706559bff1028ee170e25ff502600bc34411353cf1de28ec324a535043b3872e41

Download Submit
C:\Users\Admin\AppData\Local\TempENEYC.txt

Filesize
163B

MD5
7843db954a9c6ee6e462abcfc77bc5b6

SHA1
0e1c233b25102521cbf71698980c99f2e94a3d89

SHA256
e5dd3d855afafde5f66324e4bfafb63fb761a75b5619cc32a522f61028fdc1cc

SHA512
6658c64f6e238f777cca1766d1b8251e7a4bcf161a4594ec5e2fb303f127ea9c8def78e4083dc8353d3a72588721454cd6086dbb6a57f26df4c670f8c3e01dc2

Download Submit
C:\Users\Admin\AppData\Local\TempFXWST.txt

Filesize
163B

MD5
f3cf373ddeb32ded281ce52513b6c0f9

SHA1
7a6ea49900d3a35c04787fb862525f319ef6248d

SHA256
e8c68709854334af6880a74f26f0e5508dc80cfe28dbf697c0120ea9acf7e809

SHA512
9a57629020d98b0974f6e5e2f75a577e863d86175faf03084adcc42fce19af4126a75f41bb5b19e192e53648cdb4f9293a50e5898ba8c175bf7a5df7d6d6e77f

Download Submit
C:\Users\Admin\AppData\Local\TempGBXPV.txt

Filesize
163B

MD5
1f9cbd22377466bfe8cb5ae120f055c0

SHA1
5e7ec1f5ff60dfa9877b5cb098db0ad61b84edc1

SHA256
849b38edf66e9b69cd0f101376236f860476029353f5e9c38a80f91b1c581a28

SHA512
753cc2cabb1ce4af93ac9f7811bf06eb9d7eb07af5adb41e368f54153bf9875fa1619f40ec1b79635f802645a027a0a9eb4cae90a76eeb0a5bd5db0a1d032cc0

Download Submit
C:\Users\Admin\AppData\Local\TempGUCQP.txt

Filesize
163B

MD5
aaf6299f809459c8a05d88aaa1b0a51c

SHA1
b3b3b42b0879b1ffd4987e8dc2c4bcaae913afaf

SHA256
ee126603ce039326e1aef944a77e0c7e5cdc6f9f176194a90a0af2fb04a443a6

SHA512
4e8745dbec0ec5ecb7eb63cfdd999fd19f8f9c14da73a8f0f2cb09a85e94818b61d934cef4f09aba7a100f9d3c147876132dbdb8af6f8e8fb19156bffc77ee95

Download Submit
C:\Users\Admin\AppData\Local\TempHGTAX.txt

Filesize
163B

MD5
3a38b09c16fd14d7621bb99ac1f9caa7

SHA1
c5db35384aebc28df79934fa591cda72563004f9

SHA256
d2bba840b64401b2affe3a1f9470af64004cde70db108bacd9f09ed72c25f192

SHA512
bd4def742d38d38fe2f3e1dd3d077df5ff1e4c415e0ad05afcb4171285afec3c135821131adc6312ac7c7f6d49ecd0329904b38d21ce8eab1a03eb0c02ba1767

Download Submit
C:\Users\Admin\AppData\Local\TempHIFOA.txt

Filesize
163B

MD5
b4befd5fb2ad70f1ed5c7a840bf3d72b

SHA1
400e7511ca653978caf273ddbc34f70c96afa49e

SHA256
bf51f14d53f5690411298cd4cdc78cee66405c84e318cb4ee557c7f14ebf117b

SHA512
531c6f9e37fb2ff5c495a1918fe33db3f45c1c06ce10a353600b601eaeb179f150218d5d0941504d5902757c35473578206664c7eb65cacda00421257eaa0415

Download Submit
C:\Users\Admin\AppData\Local\TempHPGBK.txt

Filesize
163B

MD5
e619014df1dbb5a7cd39f43203766556

SHA1
f77a191b6c76c7937c894e0ae3e6ecfe1fea6471

SHA256
771812fa7a249f2e51c336f26f95b4f85ba3ff2d3416de38ae37c0d9de722a81

SHA512
bcbde460cfeb840eacbc8b2a569797c01401002aa9f9d970333f592c58c790a39126dcd4d6472718fd69d5cb4ce04e6959bdc7a2218ec493b59679fce2d6bcc1

Download Submit
C:\Users\Admin\AppData\Local\TempIBCQM.txt

Filesize
163B

MD5
4ee0ac9fd9906f6947aa07400a0c6eb0

SHA1
889019ae0da9a4ec8a4c26f350266d5fe66d87d8

SHA256
f984d52f2337b3ac2be55c808a5f8745e0b284db69e3c083240622ae1066908d

SHA512
cd0e092b24c306e789073cc14985587631ef1864128c403751515356f2e4ccf2a246aa7f0b119e77f93bf9b9637755b661dbf82815c41595e8256dd7f0c8594f

Download Submit
C:\Users\Admin\AppData\Local\TempJABDR.txt

Filesize
163B

MD5
49bbf6c8688591d689bd71bf51c1e28c

SHA1
d6a6cfb52ac5375af87b7b1e44c2eae713ce23eb

SHA256
1ebfac99ed6747ce86a48ed9ffb7c793522755c7e0a0f8f470efeec173164203

SHA512
dbeb4151828f843ff90476cda49adc77fc5be03bed169b38d638e75ba1d8be6ede1945df5759cfff5c6abf0d545624881baad33650355c256f6f4b56884cf046

Download Submit
C:\Users\Admin\AppData\Local\TempJHLGO.txt

Filesize
163B

MD5
1e521aba46a8337c2d5f87be4c1209b3

SHA1
4a95b8940bdf7e81ceae251016fe38700b0ece26

SHA256
e25904994ed4b608b124412c4b83b42b9d181fc3b43247fe2acb5b86a49d04aa

SHA512
e3e173428d470ceb89a1832193e456ea6f540fcd3055b75928a77b9aa986a190c9b7037b281dda9f46b4a702eb1595f8d4f191700e25608065db8febfc249278

Download Submit
C:\Users\Admin\AppData\Local\TempJMTDO.txt

Filesize
163B

MD5
3d7c73059b0ccdc5826337723eed3dc0

SHA1
8777bc835d0e6fa386d3e44134030ebd805f5713

SHA256
3e1e12030746029a804fc04862d1d761b418290a8b309991f833f075352b0483

SHA512
185f96d99ba3d28f56c0c641fd5a59b5ca913739334ba90f240f0431d1d9c7e7905fdc1945ad26499a43ba033a71b675e21945297196916ecb5c0a3541f5000f

Download Submit
C:\Users\Admin\AppData\Local\TempJRDJO.txt

Filesize
163B

MD5
95ed3f2fe6a8ba0d821206f50f428407

SHA1
a5cad1dd53d036343e70c7f699ad30d3f6acd7dc

SHA256
144395ffd05f6da56019939bb569e6910b677b6999d2ad1ab782ef47e12faad3

SHA512
c8c9d3706947249e343182d31075572a28cc4a0e7b44f7dda79d29531a3eacfd25f1e6f8bf608517c6c08d993eeff25a8d952402d635d7cd5e0c25b6561d80f3

Download Submit
C:\Users\Admin\AppData\Local\TempLYYKS.txt

Filesize
163B

MD5
fa60634b3a0c7cc4ccd4c9d0ec56fd4e

SHA1
df2a79843ab200bfa76599236b6ad87c95d51871

SHA256
cc829f3666baf64435bf8165df7cab448f3a7a8c1e5a47a8341697283baddaab

SHA512
5217f8baed89625e42c1135fa0be255011350c9cb02f4ef2f1912875feaa1521e3d8402a625899a35b6a36ba6486fbcb9513603077ae2ccf23f9b8e4e0c01836

Download Submit
C:\Users\Admin\AppData\Local\TempMJSEK.txt

Filesize
163B

MD5
fce13af42af349fe8ef6233bc79a08e5

SHA1
2e34f8f65b59160664876013b9d0e37856b585f1

SHA256
6f629893b54835cd9df0c9826f7bca25025be05ecc4a4b3f113dc572965bd7d8

SHA512
5058c3a7efb6db2de8859d9577f1860fb77af282d9de85695f9b21396518798d44df4ef7ff2a5ae663594fd0b51ea7fdb0832ebeb1dd8a433207bc2e5823d32f

Download Submit
C:\Users\Admin\AppData\Local\TempMQRWD.txt

Filesize
163B

MD5
c17aba3458db09b1fe59ed713fb2493a

SHA1
dcb2d244fd25ae66988439fc6c932cc4bef151bc

SHA256
da27fcd6e663effa63dad9f30a8f2dfc30f26422fc98a28ceee9bdc53497aab4

SHA512
a8220b03368da9e5056492fc7e266db8aac00704780bc328e896d3636c878843deaa6735fc1e7f72e07862c920f132f5fb6acc52799ee400ead60d482ca385c5

Download Submit
C:\Users\Admin\AppData\Local\TempOHLMV.txt

Filesize
163B

MD5
583bfccf93d87b329352e304eebb1491

SHA1
8fbcbddbaa2599790e388420af10199b372640c9

SHA256
0836058d6f452b8b16ff13fe0f615eea3c9892b77d583de21460288f9992cc57

SHA512
a5fce1f2b5f9e194bbb80da8f0845aba1c39d977647258d32c9bec28683d74c1e3ae8ba33a8088ff24069a6b64c70ed8ab7ccb761d8807dc0381f8d66ff0a485

Download Submit
C:\Users\Admin\AppData\Local\TempOMQLS.txt

Filesize
163B

MD5
9f996b54a13d663907c4f20701de7171

SHA1
e91a9522d2f4c7e947f72b76af7ccb1732c68f66

SHA256
118ba6c8e8580d7820c7359f787f87a946a3960e87575536c2a7154e77e6a2f1

SHA512
ba495db0b354dc66583103ca85428ab80f5cf5e95d208977c8042d658bc1bd044fc0f679ca50a993ebc438f5806ef9dfc0579a258e8ae9c9d3c493f01f74cbd4

Download Submit
C:\Users\Admin\AppData\Local\TempPXODM.txt

Filesize
163B

MD5
e31b8028343b583339b59929c8a6f118

SHA1
ec0e0e74dd160dca81420050d77f7d4207f5cf4e

SHA256
0b18590d9121925927c93bd625ea26e766174cbd1985564f0d75f1f318527407

SHA512
a5f0403189f91fb0b3687db094657ffc8e1c7ea17cb87a3acfcd8afa4de1e76b64b3f0a378d30c9697be667642a6c12af5a78e1949273802c989691668318c2d

Download Submit
C:\Users\Admin\AppData\Local\TempQBUUJ.txt

Filesize
163B

MD5
03774a5b331fddd430de8a4bda2de667

SHA1
4aed1d3ac48ac1c34a3a0cf0ca665c4e398eef20

SHA256
241a8ad3b44ff1a584d36d52002b8a5d722bad8ade416f484ea35a646c48b818

SHA512
46c32b5583f7b17b6bd431ab73e19da674b6747c7efb385cdf118727dce83ce80e10cc4cd5452a81e786c8f3e521ff470826452668162d916c2c00da15b4d1f8

Download Submit
C:\Users\Admin\AppData\Local\TempQRWDE.txt

Filesize
163B

MD5
5f86bd202bfcd38eb1df9dc3f99b3f2d

SHA1
20eb5c3c335c0ae536940a2687e7a4b19f36ce56

SHA256
d321062aed8a7c06ac93888227db15ce99c621f0c1f748ed53813a296aa4ab84

SHA512
4ce449ef9cbe9707adba1be3be1a650c1ff846ad9f3af74ed8428ab64f9c35f0425482af8c5d68afc7d9eff857e369b949b65d9f03e4f7f515f1f3fb3b02045c

Download Submit
C:\Users\Admin\AppData\Local\TempSDWWL.txt

Filesize
163B

MD5
1a31645fe1b5611c3f23fcc7eb6aae24

SHA1
6d172a3398dbd5d1bd526149a18fcd11021e7dd4

SHA256
0fe9f6aee33bc57e5b8bd4bf1ad147b413ccbce666ce42356c5479293f95bb64

SHA512
60dc635b7756e3177e32e28fae7600115a91108f5e95e5229f9ca96e88eddad408af8b24a992b680377ef6219e2cf4ab7c3e50c63228cbe35122243613660a63

Download Submit
C:\Users\Admin\AppData\Local\TempSFERV.txt

Filesize
163B

MD5
62058f171dbca746908947a210c8f4c2

SHA1
2ba226abedb5c9790aa6e87bcf842e4408f9abdf

SHA256
e3f2a08de6dfe5bdfe03ba96f2369d1a7c6987602faba6c4afcb4b78b1f1ff28

SHA512
c072edd013e452cf250e186cb48f65080dd5b3d136e53ba04cd436cd8a05c3b8e9de47fd7fd37dcc62f369c2b482670974efae12f091d30365cfabbeb914278b

Download Submit
C:\Users\Admin\AppData\Local\TempSXDEB.txt

Filesize
163B

MD5
a53945ba40a1f1ba3a3dd3219661dcf7

SHA1
f31dd2d0a1207cd3faa495441735d4bb330dfcad

SHA256
5a15db2c39d1a5e509699f75a05dc7d02d289e9b3ca68ff3b7118e27ef1641bd

SHA512
88126ebf274fb8c8459f7018a5cefb61ca9a8ad95decf7cb2e32487bca2654bc6a7f5a5c6121c59f4f51564bb4b0743b8896c8b43fd769471007e305d60251ce

Download Submit
C:\Users\Admin\AppData\Local\TempTEDHY.txt

Filesize
163B

MD5
6f5784ce6baa24153329ccbbe42acde6

SHA1
30505535a5f5d1e01a276b5aca66b93afe191812

SHA256
ac85f8867772fcad8592d2ce15ba4fd136df7b16fcb6b9e778daa926efeaa213

SHA512
5c99a64352361506157cce1942212d62a7ab6368363ceac8abbe0e87395ca6e76466a78dc2434dd7143d8aa886067ea147b757a91d8f72bec6450524c3ce939f

Download Submit
C:\Users\Admin\AppData\Local\TempUASWR.txt

Filesize
163B

MD5
455c8a6689513eaa82789d6053a1c49f

SHA1
316ee3812705351df713e6c2e2fd8137d35a7d6d

SHA256
a8d343b3418d974a4a3c11511a5f827664bc00e103b3d2a8dfbaba0701df82e5

SHA512
6f03a8bbb981589a1df53ffdd53ed07d77aee6a1f1b2b63bd0c2bc516ebc6698a7c5d39d712ba4fefdec248af97c2d02ef2c683bee8d8180c31e809f6b5aa5c5

Download Submit
C:\Users\Admin\AppData\Local\TempUSBCV.txt

Filesize
163B

MD5
fb2b1edc1923936246680e149d032927

SHA1
920f27173620cee3f376d9af95b6209a1218fe57

SHA256
5ac147e12220c500a9995063b879acfbf0de4a061fc734854a819c60d2aa9a7f

SHA512
f5b1eddda9a17bfe27fff16a7e96397a3579b0af4d45916afed63e1a5c98a8958a4f91cc4faab396f7d6d963fb5f5213eb198b146d104775fa6ff7206c0f07a7

Download Submit
C:\Users\Admin\AppData\Local\TempUWBRK.txt

Filesize
163B

MD5
4f877000e0f513ab61c4d5a76148076d

SHA1
eaaba8c9c50f1a8ed522f924754f8e1454602499

SHA256
0a04319adfbf92fb6cede593937adb8a1a456e5814ce01f528befae360d0c509

SHA512
3bb15e365c85d8cdadbd535901df004c1880a943c22d9d4bde39ebb1d1c015600464d9172fb9cbfa7599b693c58ac93db6b17abad445900f25202b75e85bf4d0

Download Submit
C:\Users\Admin\AppData\Local\TempVGHFN.txt

Filesize
163B

MD5
ad82842722ffb58f85923fe72995a080

SHA1
b0196c7e43c41f945699d8086d0bdab02be7119c

SHA256
bddd1ccc5afa476901c4fb69ff910093b51ab37f436adfe4e3daa069d2b633e9

SHA512
a101e08b3809eed1713d50d162ae3d7a00c9b3e89f41de67d91f01091eafe2d7d93e0bb46ee4eb52419dcff7877b5c3ed1fbf33ae53c407c8f84e517f6b42bcc

Download Submit
C:\Users\Admin\AppData\Local\TempVLJNI.txt

Filesize
163B

MD5
5157ee60b58bd389f3fac057958ed9fe

SHA1
9faefda7955fc40747579c53208f5e167f3f606d

SHA256
16865a6cccf2d8d1734f12d590c6af3bbfa8777a176ce67b7fcf51929da2156c

SHA512
b810b2024e4db16e0ff6b392935a88f7798aeb4dbd8a26a68f241953f01fa09482999b31b8c133c402523aacfdcabb17426c98b0f6a14f4c15e2392f4a2f96f2

Download Submit
C:\Users\Admin\AppData\Local\TempVMBKW.txt

Filesize
163B

MD5
4df8f005045f0286ac51c32b1deebca3

SHA1
2de97491fe2d4912beab303670432fcb84877f16

SHA256
c0153b1d7380c509ff17cd3acecc0132f1d00d2bad557de156703fd95dce9de2

SHA512
024c5f83d503d454555d57e72215fe78502195254bb5436fcc76762250bff2333472c99c23c9f522df98048aa82a3fb2d2438ffcebf09b80452c983a2cc49d2b

Download Submit
C:\Users\Admin\AppData\Local\TempVWTCO.txt

Filesize
163B

MD5
789bfc0ec7222ae085e8522eb4eee2f1

SHA1
e442771b6a5d6ea0e3a03b62cdb11b1cc95b4e30

SHA256
ece32c50b504f2e9bdbc1baf562b3bb41b420d223b2f4196cef8f5af753ac98b

SHA512
af58a8b4aa842fb03ea0f5fb6dbc8cb20eec1a0cbe72996f26b14ed44ecd563331b2b36210d8424880025fdff06d9cd5870ceae28bed552cb0bd58d3a55ef3aa

Download Submit
C:\Users\Admin\AppData\Local\TempWPIOA.txt

Filesize
163B

MD5
3925ec1c9527f6908e18ca5192c249a2

SHA1
2d37adb7ee0f5f61d56aae4970d03662d9857db4

SHA256
3da2bfceae4ef21783486c4dbbd846d2aa355d40e84d9d28c768faccae47d664

SHA512
49faef8cea7166b97e1508b610ee7c84b1a62b11166a59fa461b07b3abdcacda8291efbdd1b882f1c161476fddf439c7c85968f029b3b6d2b85d0096121da93b

Download Submit
C:\Users\Admin\AppData\Local\TempXDVUQ.txt

Filesize
163B

MD5
4004805be9425a828f1421bab4a3a78b

SHA1
b8a6fc4e959fdff961ce6aab8090fd1809c19590

SHA256
967b88ff41ccebf1a53fa4b1085ae1805561464d535440c5598d4e9072721aa7

SHA512
37625ff599536cedc336402ed823bbaf31b7d12c05a87e674cfb4f0fbfa7b2a6386f66eecd0373c43d9ab9637c2127c66fc31de07235be3baac2aaf0b1f193b0

Download Submit
C:\Users\Admin\AppData\Local\TempXSSHQ.txt

Filesize
163B

MD5
3e81e6dcb864b4c554164ae46d86c0ee

SHA1
942aacb46f4e6fc9dfbaa3ad5818e20faf2cc225

SHA256
bd2f8ffdb3aa85827b29d12470f888dcb45443d96e3b6c63ab537abb23e12840

SHA512
d80fba86dfc5ae889e86c9d311c992427faac892807f2770cdcbae05c8d5bbff44b806d33352a3b778ae2a6f879fc7f3a828f2ed2a1aca088c27850378eb7d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIARJFATYKLIQCJ\service.exe

Filesize
520KB

MD5
702e709078428558a223a7f31ad23244

SHA1
f083373f78ecf6acf322b59841de4643a0df7ade

SHA256
85840cf7eba966a97fbf66e24e85a08dc4a05b8eba17f06b4c4a3b55f02a1dac

SHA512
6ac2ad9e047df743592c9498f42b5721185dae91c799c1d5e4614b186a8f10ab254b1b8056e2ef155b75648c0602e18acdb39f523aecb975b5c285cddc0c5e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.txt

Filesize
520KB

MD5
29f9484319a7949faf9bb0c7589097fe

SHA1
db906389fb5bda558ea2df0b2c9a0b7e0172537a

SHA256
8934d612cb57a311eeccb76dbfe9f1d75e0f1e8c0f6625e196df8afb18156324

SHA512
e191bd28ee61ec426015517eb1cc4f588fd732cdfec0a2658ce99d0d9f718aed2258adef7968fbb0c9664b77f25c4a9714a7d9e18b89584473bd1bc303eaa438

Download Submit
C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe

Filesize
520KB

MD5
965a76a6afa644a7a8ce86ae1d23ac19

SHA1
c41926c48a62b1fc5789bbf3c9409f5e4b93c6dd

SHA256
0c140b248131fe16eba9877b5ce3f3e472dd239d561a75d6f5f230740ec26671

SHA512
2747da01a5b1246887ca80ff679e847dda85b9662d1be473c7258cc4b0c4161c285646d855d612d302c9763cd0b75007fa47e27690a44afb2de9b350a66bf9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe

Filesize
520KB

MD5
9b8b67f30debd2268b54df4420579cca

SHA1
a8d254ef9cf75c62e15d0875f0a6ee37326ff6a1

SHA256
96b97911297cc3dd250ea8ebce36cda445f6e2e4e7a421e4c4db750227292532

SHA512
5e4a5795a1ec899473b3ae1dca9abc7dc01f610d90520d8e0dfac23efaf22c4eb404a5ea0b22effc54aa61476703a580f551f96c3765886a4a388a2a0d5a8668

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe

Filesize
520KB

MD5
68b3272f57b4aab6696f8c001bad1d05

SHA1
a5d8bee0aee812ed0acdbdb384188eccb233f9f0

SHA256
aff6097be0f56792660f9e0e6d937a78a7cf88b6e5eb2037e9652602e87e2864

SHA512
064726140b13684b70abb9bec93c153af7a98a256fbd4beb239b7fdd48d2470aecf880cfdedc379fd19b4e5a9f660cf521ac70d9db9041a151d8a26ea3fde70e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe

Filesize
520KB

MD5
f853902d27c077a459f599bb2be50884

SHA1
e609e303145cd21a2d1459466706286255640caf

SHA256
035f630a2c00c393147387a36c9b6b4c1ae36a4bdaf6648e7af4ca24e5e60b74

SHA512
666a8d95fd0a08495cc92c2a2d16960b68f3255e92927eadfd632666e41c860aa413b0da86d118b6311155dce8bf7b65dfb699a0731ac209f7b7147231190baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe

Filesize
520KB

MD5
e6f8641d1ae0c952a7e04da49c27b359

SHA1
958b62685c53f46bd4c356e3312598da11173bbd

SHA256
7b1cbe396ce4f7eaca678c05bba1464f20ae3002d4d28e46151fd505a5388c0b

SHA512
75b7899db34dd2949ccb3f13d0a98b551ec3e5d770fcc3d501d9407f965708c8089699db94f17b979f86e47a78593e2fadf13a9b9aca1c30f22c7a0fa9f3c342

Download Submit
C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRECQYQ\service.exe

Filesize
520KB

MD5
766b919564338b1da05c6d61fcd480e4

SHA1
5f2ca7846574ce5d70f6ffd509d6ee9541437dd1

SHA256
77cb3e62030e7648c97c55f1ff55ac4247805767b351fde6515036f51cb532dd

SHA512
2149eaeb8e35b34d6c6b9a9ade7df584953338c6b1c66a383990c5a850a3128372315e00d74383d3bad773ccc88c7caa1b7c6f9d861b9375ba8cb6c6cf951f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe

Filesize
520KB

MD5
5a23eab8ac35c379e4d1301bf66cf2cd

SHA1
964c321e1f656909708c69de35010adb5c09139c

SHA256
83ae138fa169054de0e59bb15b931a71e09d0518a3f172962aa52bd0e3d19ff1

SHA512
f2d1cf8cafbd9158683a0fa08a8563fc7e48dd62f00353a82047055ba7b0c8640d0729ddfa3efb33c277277435a4b89887dbc0ec7f44c299ddf8ea4e967da0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe

Filesize
520KB

MD5
2b0c03f6fc23b0e3bb20cc5dfc8b5afc

SHA1
01fa5849bc43933a4efa7a153d041d9ebf7c594e

SHA256
9af9ff4157575a568be330b7a02c9b51c9c6deee828483b0ca48b597e346fbd9

SHA512
1102ae02c214dbe18b71347f97d97b34dc5a86bfe0cefe8aba446c4e527872dbe8f2f4d8e00f5da675f37652a031ef660a80fc6968aa5dae7ceeb05e298eae8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe

Filesize
520KB

MD5
bc8fb93829d04e7886220e99c1fd78c6

SHA1
42d6ef4702a09f04cfaffffb930ec87c7e9d9fe5

SHA256
53eb081cff81df63f9274e60ce214ac5a4078bd32215d70fd81b6e6cb34bb4fa

SHA512
072e0480402cf96522b3db936c85069dd6fb98a278d35d99ba637522e1c39bcd422c91331f9984729a134d0d0f2cba7b41b03bcbb680f0faf2f5b8d6eefec952

Download Submit
C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe

Filesize
520KB

MD5
c106b4457a797cc9abfb3f6947dadaad

SHA1
6b54e49b2db9575f9fe9371c4e518d18c0f03e47

SHA256
6b45a790c95c308bbae56f09b47239fc94343a18827ce7f886c0c657db06bbb7

SHA512
a934ec02e271dd9ddccfc1605d583ca5237964d93e664a0fb183b29911876041e17973a25862b1b876ddb7b1cb0f2ce465f253c782bde8fd57827502a05ceff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe

Filesize
520KB

MD5
216b1600bdcd4014f226aafb54eed67c

SHA1
8370882577c1c8aff3a2e658ba4218f0923529ac

SHA256
22fd8c78f6d7e15d8347d18dc8100076d14f2de5fe327ca30bc75507d135723e

SHA512
08631c4ca2770733f67bc273923149a6f83c525f435d996a9daf552fcda3afcfd586fe996a210622fe8a0f10f90f5e17f9e89a87da6d1a6b12610f4a59a15904

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDTDKUAQLGAFVWT\service.exe

Filesize
520KB

MD5
5e489a830f789adfd0399b5af7e2477e

SHA1
58b672a27ecfa6414371f1ec10f6e34b1685194b

SHA256
ddcff9b62e0a5de87f88671cead991f47a9d35e57b1d7a5b1515b1d6d58d5bf7

SHA512
2372b79545d3b10cd22200e87370a294f1e712cec9c0328645c286bfec7024f417ca71efd857001b788ec17333d4b640c570ad3bc0e113d97f498d237defc93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe

Filesize
520KB

MD5
5b47f09f196727802079078a8c0f3f5e

SHA1
1223e9f81e6d982f0edadc50ac4a22f1cefcd8dd

SHA256
52759a0c18da0790a87a623848a28eae81f6a6c40c2fe0e5365017dbdf80709a

SHA512
880947008452282376976a6ef966ed2562b3891a9d965a51b06af6986956d23dd8eed1eac60a293260e40b73666ccd8d7114f6a61c26fe36260e29a8f3bb4160

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe

Filesize
520KB

MD5
1b00c7e56cdb5aafdee80626b8a97199

SHA1
3793cc0f5e011dc47a0998447eb98515415f266f

SHA256
198f0a716c8b3413fa988833fe88495916befd5c1cd9b6dd4931f9bb085dcc16

SHA512
05daff01f4eed3674262b01815b88fe7bf896c762934c6aeeb97899cd09afab808b24e9509ca59f171156bb19682f801065b932fc24024aa543a792222e0915d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVKECJTJOGXOCND\service.exe

Filesize
520KB

MD5
376d089d08d9f3d126f3fe8b69445ae8

SHA1
d6106b29c044c575758b4a0cd70d77c0b70ee9e2

SHA256
e7324605da2fb660addd3496b725702050048ab4d225271df82e8909705d3472

SHA512
22b8ea9d4e201485a4abc370131100db5914e677a170846883cf889a5bb0f49e8a456bc9b5e55265a2b6e81fe0a9236b726709623d72a233c59bf28741f585a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe

Filesize
520KB

MD5
5cb2a831dd7f9a861d193cceaf7f4912

SHA1
21822d468019b78a971f70ec29998237f5ce0084

SHA256
fa17b5d7ec4abf9358ed1efffb2622042af2b4740d74c4a9376102fd67e27568

SHA512
d6bb3be7ff189b2afe0fd79ca53593eb64dfd2c6db3859883019bf9a8f443d466e2521984245ec2057913c82b67bcc670d45d13cf1628e24b23c5ea3aef5272b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMLTHHIDBIEUHOJ\service.exe

Filesize
520KB

MD5
b9d70b88fe1816a821d91761bc37a6cf

SHA1
b4f23c7f6996015afd159e66ef12fa66abb9d91e

SHA256
01e030da9d6ddc616a1dd69b02ee492e82560c626882818246bc61204499fd88

SHA512
d326cc18c5d9ea81f9c4693b0ec05d447c4de1a0f96234d9bf3ca269aa7e2cb17a8af3b43294188051596833c7af4b67d61d8472da2d2828efa9e6203cbd268b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe

Filesize
520KB

MD5
250146909e98fb8b4f415af64213a998

SHA1
e42ed67079681ff04dce02d24451400923727191

SHA256
c1aa4ce1f9c5c489fc6d07a055c86acedae597fc322582cfc569a3f752f35b18

SHA512
eae6af6d37eaf15e9f8549622039de8000671571b96acb5f2fe9c3b9876c8d4b8f4e4a8c83a76fa28f33aedeb3fff086438d6e4f762761a8c5f4b0a118c8aab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe

Filesize
520KB

MD5
35cdba03e4a804a46c7b062d33321b69

SHA1
c89a84dd7f7dc37ffe22725e5ea4e667b101fa4f

SHA256
05a00977f2935ec2e7dc44ac1c3bab9ab256abbb53071162042d58e894427e68

SHA512
7c59090fe32a7ba639f4f71aa288b862aa47914fc42cc8957e6a5fafc7e8acdcbaee36ab2b15c00b1333136d911daa7f0f5077c908f4da2fca9d8d719f1febf2

Download Submit
memory/4328-985-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4328-980-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4328-979-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4328-986-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4328-988-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4328-989-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4328-990-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4328-992-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4328-993-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads