blackshades | 613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69

Analysis

max time kernel
141s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe
Size

520KB
MD5

7873dd049d1c1c0874ae0620c9c349ac
SHA1

d6f5c82edec0a82dc8c9db9ccd5d81c7fbcecabd
SHA256

613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69
SHA512

e1c953cfdfbb59bfe3f0e4a018bdc01d585ca7ff485547fd6537fa80c4fcaa4be65fd82173e16ec0dac461efe73c396ad6e0c74d6f2bad8b4f147b8d3fefd191
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXJ:zW6ncoyqOp6IsTl/mXJ

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 11 IoCs

resource	yara_rule
behavioral2/memory/764-810-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/764-811-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/764-816-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/764-817-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/764-819-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/764-820-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/764-821-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/764-823-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/764-824-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/764-825-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/764-827-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIIJECJFVIPK\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe

Checks computer location settings 2 TTPs 31 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 32 IoCs

pid	Process
2268	service.exe
1084	service.exe
4192	service.exe
4420	service.exe
4904	service.exe
1812	service.exe
1656	service.exe
3704	service.exe
4856	service.exe
5000	service.exe
3580	service.exe
972	service.exe
2044	service.exe
2520	service.exe
4936	service.exe
2728	service.exe
2528	service.exe
2068	service.exe
2792	service.exe
1164	service.exe
2528	service.exe
4524	service.exe
640	service.exe
2708	service.exe
3184	service.exe
4176	service.exe
1684	service.exe
2216	service.exe
4152	service.exe
2600	service.exe
3864	service.exe
764	service.exe

Adds Run key to start application 2 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NKKWSQUPXLNFMMV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTIHIECJEUHPJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDXUOCYJEJYWFRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPCAOWO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RJSPKTEUETURAMS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MULAVRMVHWBGVWU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDIARIHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HMIJURPTOWKLELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRGFGBAGCXSFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PXPCDYUPDYKEJXG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDUMIDXNOLTGMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PLMXUASWRYNOBGN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIIJECJFVIPK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UQEQCAEWWSTGLST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIJCWBDTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DRNKPCPRMFJKTPC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSRTFJOBNVN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XVTYLBPKIXNANPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUKECJSJOGXOCMD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXGHSYPNRMUIJCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKPHYPDOE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VHEIDLAXBYTRABU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HAPHQNHCCRSPYKQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GOCDWUDDWMHQHFR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NIXVLVPNQBGLYKS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLYFOYWGCNGHXQU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKPWIICWADTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WSUGMTTEYXMVIHV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTJUNLOEJXWIQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DBFAIUVQORGUCKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEVNJEYOPMUHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FHXUUCQPBKBTKHC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFAVQEL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JEDRHVQOTGTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQKCIPYBBOUMUIS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACFQRNLNDQYHSXH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBUKLIRDJO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBYUSBBU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNICCRSPYKQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SWTHTEDHYUWIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQPRMKRNCQXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DYCPFTPMRERTOHL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WYOIBGNXNSKSGRH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQCKCTLHCSMMWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHFIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQUHLHEVTJJLGDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OQGAYXFPFKCTKJT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TWHMREBQYQDFAAV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHCXSGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MBVRMAWHXCGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRQSEINAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YWUMCQLJYOBOQLE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TVLFDKTKPHYPDNE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UQERCBFXWSTGMTT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRCONOKIPKANVEP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VLHGTAKXTRBWICW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OGWGOCBCXDTOCJD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WAXLXJHLCNSLBBD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUUVQOVRGUCKC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUTXKAOKIYWNMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSINFWNBMC\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3864 set thread context of 764	3864	service.exe	233

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
724	reg.exe
2720	reg.exe
3504	reg.exe
3288	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	764	service.exe
Token: SeCreateTokenPrivilege	764	service.exe
Token: SeAssignPrimaryTokenPrivilege	764	service.exe
Token: SeLockMemoryPrivilege	764	service.exe
Token: SeIncreaseQuotaPrivilege	764	service.exe
Token: SeMachineAccountPrivilege	764	service.exe
Token: SeTcbPrivilege	764	service.exe
Token: SeSecurityPrivilege	764	service.exe
Token: SeTakeOwnershipPrivilege	764	service.exe
Token: SeLoadDriverPrivilege	764	service.exe
Token: SeSystemProfilePrivilege	764	service.exe
Token: SeSystemtimePrivilege	764	service.exe
Token: SeProfSingleProcessPrivilege	764	service.exe
Token: SeIncBasePriorityPrivilege	764	service.exe
Token: SeCreatePagefilePrivilege	764	service.exe
Token: SeCreatePermanentPrivilege	764	service.exe
Token: SeBackupPrivilege	764	service.exe
Token: SeRestorePrivilege	764	service.exe
Token: SeShutdownPrivilege	764	service.exe
Token: SeDebugPrivilege	764	service.exe
Token: SeAuditPrivilege	764	service.exe
Token: SeSystemEnvironmentPrivilege	764	service.exe
Token: SeChangeNotifyPrivilege	764	service.exe
Token: SeRemoteShutdownPrivilege	764	service.exe
Token: SeUndockPrivilege	764	service.exe
Token: SeSyncAgentPrivilege	764	service.exe
Token: SeEnableDelegationPrivilege	764	service.exe
Token: SeManageVolumePrivilege	764	service.exe
Token: SeImpersonatePrivilege	764	service.exe
Token: SeCreateGlobalPrivilege	764	service.exe
Token: 31	764	service.exe
Token: 32	764	service.exe
Token: 33	764	service.exe
Token: 34	764	service.exe
Token: 35	764	service.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
5060	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe
2268	service.exe
1084	service.exe
4192	service.exe
4420	service.exe
4904	service.exe
1812	service.exe
1656	service.exe
3704	service.exe
4856	service.exe
5000	service.exe
3580	service.exe
972	service.exe
2044	service.exe
2520	service.exe
4936	service.exe
2728	service.exe
2528	service.exe
2068	service.exe
2792	service.exe
1164	service.exe
2528	service.exe
4524	service.exe
640	service.exe
2708	service.exe
3184	service.exe
4176	service.exe
1684	service.exe
2216	service.exe
4152	service.exe
2600	service.exe
3864	service.exe
764	service.exe
764	service.exe
764	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 1076	5060	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe	88
PID 5060 wrote to memory of 1076	5060	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe	88
PID 5060 wrote to memory of 1076	5060	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe	88
PID 1076 wrote to memory of 1684	1076	cmd.exe	90
PID 1076 wrote to memory of 1684	1076	cmd.exe	90
PID 1076 wrote to memory of 1684	1076	cmd.exe	90
PID 5060 wrote to memory of 2268	5060	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe	92
PID 5060 wrote to memory of 2268	5060	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe	92
PID 5060 wrote to memory of 2268	5060	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe	92
PID 2268 wrote to memory of 3984	2268	service.exe	95
PID 2268 wrote to memory of 3984	2268	service.exe	95
PID 2268 wrote to memory of 3984	2268	service.exe	95
PID 3984 wrote to memory of 3288	3984	cmd.exe	97
PID 3984 wrote to memory of 3288	3984	cmd.exe	97
PID 3984 wrote to memory of 3288	3984	cmd.exe	97
PID 2268 wrote to memory of 1084	2268	service.exe	100
PID 2268 wrote to memory of 1084	2268	service.exe	100
PID 2268 wrote to memory of 1084	2268	service.exe	100
PID 1084 wrote to memory of 3708	1084	service.exe	101
PID 1084 wrote to memory of 3708	1084	service.exe	101
PID 1084 wrote to memory of 3708	1084	service.exe	101
PID 3708 wrote to memory of 2792	3708	cmd.exe	103
PID 3708 wrote to memory of 2792	3708	cmd.exe	103
PID 3708 wrote to memory of 2792	3708	cmd.exe	103
PID 1084 wrote to memory of 4192	1084	service.exe	104
PID 1084 wrote to memory of 4192	1084	service.exe	104
PID 1084 wrote to memory of 4192	1084	service.exe	104
PID 4192 wrote to memory of 4752	4192	service.exe	106
PID 4192 wrote to memory of 4752	4192	service.exe	106
PID 4192 wrote to memory of 4752	4192	service.exe	106
PID 4752 wrote to memory of 4696	4752	cmd.exe	108
PID 4752 wrote to memory of 4696	4752	cmd.exe	108
PID 4752 wrote to memory of 4696	4752	cmd.exe	108
PID 4192 wrote to memory of 4420	4192	service.exe	109
PID 4192 wrote to memory of 4420	4192	service.exe	109
PID 4192 wrote to memory of 4420	4192	service.exe	109
PID 4420 wrote to memory of 5048	4420	service.exe	110
PID 4420 wrote to memory of 5048	4420	service.exe	110
PID 4420 wrote to memory of 5048	4420	service.exe	110
PID 5048 wrote to memory of 4936	5048	cmd.exe	112
PID 5048 wrote to memory of 4936	5048	cmd.exe	112
PID 5048 wrote to memory of 4936	5048	cmd.exe	112
PID 4420 wrote to memory of 4904	4420	service.exe	114
PID 4420 wrote to memory of 4904	4420	service.exe	114
PID 4420 wrote to memory of 4904	4420	service.exe	114
PID 4904 wrote to memory of 2068	4904	service.exe	116
PID 4904 wrote to memory of 2068	4904	service.exe	116
PID 4904 wrote to memory of 2068	4904	service.exe	116
PID 2068 wrote to memory of 3780	2068	cmd.exe	118
PID 2068 wrote to memory of 3780	2068	cmd.exe	118
PID 2068 wrote to memory of 3780	2068	cmd.exe	118
PID 4904 wrote to memory of 1812	4904	service.exe	119
PID 4904 wrote to memory of 1812	4904	service.exe	119
PID 4904 wrote to memory of 1812	4904	service.exe	119
PID 1812 wrote to memory of 696	1812	service.exe	120
PID 1812 wrote to memory of 696	1812	service.exe	120
PID 1812 wrote to memory of 696	1812	service.exe	120
PID 696 wrote to memory of 3756	696	cmd.exe	122
PID 696 wrote to memory of 3756	696	cmd.exe	122
PID 696 wrote to memory of 3756	696	cmd.exe	122
PID 1812 wrote to memory of 1656	1812	service.exe	123
PID 1812 wrote to memory of 1656	1812	service.exe	123
PID 1812 wrote to memory of 1656	1812	service.exe	123
PID 1656 wrote to memory of 4416	1656	service.exe	124

C:\Users\Admin\AppData\Local\Temp\613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe
"C:\Users\Admin\AppData\Local\Temp\613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEXXMV.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UQEQCAEWWSTGLST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1684
- C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe
  "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJXFOF.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHEIDLAXBYTRABU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:3288
- - C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe
    "C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCYYSL.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3708
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WSUGMTTEYXMVIHV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe
      "C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4192
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKXFOF.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4752
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBYUSBBU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:4696
    - - C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4420
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRQFOB.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NKKWSQUPXLNFMMV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:4936
      - C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBOXK.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SWTHTEDHYUWIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWLXIH.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAIUVQORGUCKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "
        9⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPFTPMRERTOHL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYDTMP.bat" "
        10⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VLHGTAKXTRBWICW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGWGOCBCXDTOCJD\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\OGWGOCBCXDTOCJD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OGWGOCBCXDTOCJD\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNLPKS.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDXUOCYJEJYWFRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSELQ.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCTLHCSMMWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHFIYUVD\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHFIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHFIYUVD\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFTBOO.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WAXLXJHLCNSLBBD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXJGKF.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSPKTEUETURAMS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDOVLJ.bat" "
        15⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MULAVRMVHWBGVWU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOWOIB.bat" "
        16⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DRNKPCPRMFJKTPC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempONREI.bat" "
        17⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GOCDWUDDWMHQHFR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUPYPE.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMIJURPTOWKLELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPVLJN.bat" "
        19⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAWHXCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGIRN.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVTYLBPKIXNANPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUKECJSJOGXOCMD\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\RUKECJSJOGXOCMD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUKECJSJOGXOCMD\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHJSOB.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWUMCQLJYOBOQLE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRLMVY.bat" "
        22⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FHXUUCQPBKBTKHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRYOMQ.bat" "
        23⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PXPCDYUPDYKEJXG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEXXMV.bat" "
        24⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UQERCBFXWSTGMTT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCGHQM.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUTXKAOKIYWNMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQUHLHEVTJJLGDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OQGAYXFPFKCTKJT\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\OQGAYXFPFKCTKJT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OQGAYXFPFKCTKJT\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHIFN.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNGHXQU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMOXTA.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JEDRHVQOTGTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQKCIPYBBOUMUIS\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\XQKCIPYBBOUMUIS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQKCIPYBBOUMUIS\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQRNLNDQYHSXH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSNWN.bat" "
        30⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXGHSYPNRMUIJCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe" /f
        31⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQELFK.bat" "
        31⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TWHMREBQYQDFAAV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOXSSH.bat" "
        32⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLMXUASWRYNOBGN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe" /f
        33⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        35⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe:*:Enabled:Windows Messanger" /f
        34⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe:*:Enabled:Windows Messanger" /f
        35⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        34⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        35⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        34⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        35⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempCGHQM.txt

Filesize
163B

MD5
65becba90ec3c2268f08c642b299af1b

SHA1
2516e80885adbd1dbeca15e478b8c60b47676f28

SHA256
cd1902e1548181d4faedb54a7929a04e262fa779d8ade5413697bce636e25e3b

SHA512
4777926a9c50b958813fdf3ef2c77d083f2817e9ab12700f994a61a7c639c3ca1dbf777d65a87a8239f5362f8cb02252362f416621dd1f5ceff898a5894e5d45

Download Submit
C:\Users\Admin\AppData\Local\TempCYYSL.txt

Filesize
163B

MD5
ca4179859eb5b79f8694a2715a157d20

SHA1
9ad07ed8d2b1d75ad7ff58de256a7acb10a9fe9b

SHA256
194781ea5e580cce16871558a5a1d0b5efc92752dfab4827c1330ca90474d06f

SHA512
f768c3b59793606045e256dc36ca70505908af0fb9c029e215635b65985ec98e165dcbd5d1fce4200e803c48a31c67d09289ee458e8d57751c1d47fbebe97da3

Download Submit
C:\Users\Admin\AppData\Local\TempDGIRN.txt

Filesize
163B

MD5
595674f8c2dd05631a17b5088ca7ba0f

SHA1
a8d9ba8de161a21018c3c5616076523f17de7dfb

SHA256
5fd3c88a8b2750e7640ba992ba8bc4b4960822a52c97e7336ce238e5f4cc85d6

SHA512
4c9f1b9e0c1e55afb06209059f7aceaa9ec82608f2bb011d63cb0268cc18d0218aaa36a3eb4ce3eb71ac0548e28b6bf319f492df72e1305d5d5dce624f3ab118

Download Submit
C:\Users\Admin\AppData\Local\TempDOVLJ.txt

Filesize
163B

MD5
0c196676c12fc8fd91ddce03cf7bc2b3

SHA1
a9a91d9680bafc913b0bf50cfd5ddc7295f187bb

SHA256
8503eed1e1a828145191ea6be958596b927a34017dbe46398753f8f1b31c6d9a

SHA512
7100ddc7737621fb82af46d8806df58e6093950c4405efcb7cd2cde88aebff86d7ffc68f2512bdb820a2860a3a11c9277b89803492a3f201b057010929b8af04

Download Submit
C:\Users\Admin\AppData\Local\TempEXXMV.txt

Filesize
163B

MD5
34502cca7bc090b69f34d0006b92c69f

SHA1
32ec62019fcedccef6780b2bae0029febb2875b3

SHA256
b4b472dc3779ba7db90b301b8283847f06bd53932142040301d6e350be76bee8

SHA512
da1f5d24fe89d9e57f0b94df39c92a46502f715698141666bb71d39402b00abd384c975ccb12bc7f7e004b85ae3db1fefc3d4bebf44c54a146f58d5093b8fe5f

Download Submit
C:\Users\Admin\AppData\Local\TempEXXMV.txt

Filesize
163B

MD5
9e866f8181a3cf3103041c39bf893cc8

SHA1
10f33e54f4ac23a78b5d61623cc467a171ac9c88

SHA256
b9b06cc28bb1f0e13aaa9a5b971c77809e1ad2e509eb1d6a9710f6fd3c16ffdb

SHA512
e3199afdf57382979ffc830bcf58a65c14f1cccc6e255d763c8b2569af3bf7173105defd84c0a46a26f9bf0085b547a9882ea46f4724c55eb52bff376b05f7ac

Download Submit
C:\Users\Admin\AppData\Local\TempFTBOO.txt

Filesize
163B

MD5
9289d04655d55a3601dbfb76a5eab54f

SHA1
d466dde4451583fc4b4dfd0216c4765db8d5a5a6

SHA256
3da84c962c75e6e9855b31f318e6711d960210f568c8d2d72ed68471dac40c95

SHA512
4f041ca86345e9cfeab3c174d5c2e4518519a61a64738b8d87befca9d2d300e216bac9aeecd2a7ac95b408847fbf8672c93d79e23922e0c9f9cc007307284a33

Download Submit
C:\Users\Admin\AppData\Local\TempGBOXK.txt

Filesize
163B

MD5
b5f65ca7b6b3b8d827cd0ded0d992cc9

SHA1
892b84b52e17814408dbf65260af65ac4b386064

SHA256
c76f61d4219eb3ac32e8f23cd439c5c7f5b5f75d1ce09ca8b660836f62436873

SHA512
dbcd2764b41f727545ade18784e6cbe132589273aa37cb1bd930a719adc34b8b0e165cc230e623a62e1aae562e5c0a08d1a087b0ddb09d701b234334b16b632a

Download Submit
C:\Users\Admin\AppData\Local\TempHJSOB.txt

Filesize
163B

MD5
9a43227d9d25c3b74f5890f01e9d031f

SHA1
a43915501c16406c07d6da843d4351bece3b5481

SHA256
aca7d0f9b9f8ff095e80b697b20c195eebdf5d581194972b659df219739e74c3

SHA512
38e5f238b195df3b540aa20e2afdbe60baffff136f14b50cf9e6b3c3a4d104bc20090468e052a5817cc1d933516dac9328688523865c641d656c34c54d276745

Download Submit
C:\Users\Admin\AppData\Local\TempJSNWN.txt

Filesize
163B

MD5
09d22b871f6f7c0ce345110034dd7d8f

SHA1
0ecafc1ffe940d12ffd42999391b6829b0279fff

SHA256
29b505d87e243fea0f1cb10947149c896b1ac2e321a2e1f7aa8e72ad55055a49

SHA512
482cb9396a9936bb06dac2d5bb25eec96d0f212537467beffbbc88d997e29f981bffc3ae7a998aa061a97a3775881773e3fd95e327c09a29598c6c64c948b998

Download Submit
C:\Users\Admin\AppData\Local\TempJXFOF.txt

Filesize
163B

MD5
bf9ca625ea553cff987ac4b9c549a9f1

SHA1
6c978d20f5546bd56b38793ba8fe731525b73ec8

SHA256
7e1f5c3225ee7a3c3849986d9448025ed598b78c12aedc44bdc5a8c83b4b2f2f

SHA512
1fdf53d9498838aaa86e9ab4d23e874de87918cdf4db60d3446231153ce2d4999203a143e67d1092a0bf123cda3404b87b6bd12ba2de556db363f08fe5f3c96f

Download Submit
C:\Users\Admin\AppData\Local\TempKSELQ.txt

Filesize
163B

MD5
9908f25a4b21479670cd8b26e43eebc8

SHA1
d9e8ab8de17e76da16add3ed9ac9ebd723b23a2a

SHA256
a2edaa3bb568e4a0c10822f588e0c3d115c576aa7c125ae8201aefe888866890

SHA512
4675f0d69687376e2a2ae73738115cedac4f929ec5d2d4268aa23e59484710cf7990c9b683772badaa92128ccf0f9f867eff04badab49ed34f8d75fa93f3f2e8

Download Submit
C:\Users\Admin\AppData\Local\TempKXFOF.txt

Filesize
163B

MD5
b196951fba48b5977560e9753b785b65

SHA1
e22f3e6d2c9c03545b5dc31252623bf766673f4a

SHA256
8b7922292951a99acead0d2660c90515a483da5780dfefc2417325f37d807731

SHA512
bd899da3d81da6bab9cb78167b9426efacab052eda353821e30afb1585749bcba973f92cbb41868a111a57b6917a8f0d0ae6019ac78690e822534923133b9aa9

Download Submit
C:\Users\Admin\AppData\Local\TempMOXTA.txt

Filesize
163B

MD5
2d04617476f92aa616aa6cbfa3b96c16

SHA1
5cfa2e11ba709e624f39c0b4b888fc2309281fce

SHA256
1d5c078f5e595aa5ef14e905c18fd1bab80b9ae80b213fc8b27e6c829535b028

SHA512
17a5d63d101f98ad2dfef83d77a2d12e51752c265a2d481aa6133b5dbac4ded64b0deeb8e40dcf8d818e920ce92152a992f067ca8b28e532c6b2aa4f2e7ce9d5

Download Submit
C:\Users\Admin\AppData\Local\TempMVREB.txt

Filesize
163B

MD5
f66f3267a3bab1cc959fa1d5af0c6a43

SHA1
30f9d9b5e0260c4a26075122ed947ae0bb817ac1

SHA256
62b73d8deec06eec732c12de69805934be35c1f930e35984602da606c4fc7fa0

SHA512
792f9a42f41bb37a52f567b0e73af29ac2dd946c0043a6405945418f5dd5cbf3c64a70a5c54620a2d69d3fdf0b302646b0b3dbc8833b800f7c85056fec2fe82f

Download Submit
C:\Users\Admin\AppData\Local\TempNJXWI.txt

Filesize
163B

MD5
842060c6457fc3dbc7d32facf481b979

SHA1
5bb342e8e9e738b8197148724171fafe32b369b0

SHA256
2ba67b7e60a2e4d40e35509f913df5fe2c3d0a1828c44d4dd7ae7fb9083590b9

SHA512
c55c7dfa04e45113689e4149bb0e864d85c943700529d46b8439388516e55813fe601c337a856ad043f183d7d4eb34ed70e6e2e754a42f32b05b85101e29a12b

Download Submit
C:\Users\Admin\AppData\Local\TempNLPKS.txt

Filesize
163B

MD5
cff95e52eb49a782a8095b477328d9dc

SHA1
8159a286587152d1d9f22d3b54c1a4772a6b0dfb

SHA256
75cf70941ac3afa1da1e2501f2bcbed4b1941fb01799cd07142c27ebd1ad1734

SHA512
f4a82ac66feebd26cc4a852e8c14f272a20be5f80fbe47f767c931e2d7b75313ebe22988092a1b3df6e533b8350092d16934b02c3015211e86a2b593b4f2faf6

Download Submit
C:\Users\Admin\AppData\Local\TempONREI.txt

Filesize
163B

MD5
72206e5af4573016d3b1c398351cbf72

SHA1
90b66a0908529ea84176889fac273400f67ef6ba

SHA256
85a2f40f6b24339c67af439bf4691849063ad700cc9cff0a3aaab3b9299a76bf

SHA512
3f7f051caab9a869ba4f93979678d1d97bf6cab3169b021b2090cf4fa563b9ec1e0695aa6b38b11000943f32493d2a4764e60284ba9be39fc11e1f21357b6dfc

Download Submit
C:\Users\Admin\AppData\Local\TempOWOIB.txt

Filesize
163B

MD5
60b799b41cfb780efd524a66bd098905

SHA1
cf92393a30f9a6a242f15aad2f9224991a049547

SHA256
dc7fd554f419c15271ede4884ad783cc35ad1f4b72d3b3bdcecf6a77eaa1bf83

SHA512
dd5ccb7332fd14b767ec9bcfc1d5763566a6cf32ce5c3d4543ad784fd5932c24e32e792d5bd140478b852c63d6ac87f234f3b6df996310400f0b2ccea38d4c38

Download Submit
C:\Users\Admin\AppData\Local\TempOXSSH.txt

Filesize
163B

MD5
e0a030a289cc60501a12bf0f2507e788

SHA1
47d412512a9c394d3c909d6d3721a78a4f02fc45

SHA256
5040bf052c1420fd955dc35f2e223e20a4a13246d82e472c6020681e69c8c6fc

SHA512
77203adf441370a4212c8bbc6493d6e19a019037e2f631f81ec2ea291bbbd39ce5fe57f5f0305d7707df198001b74b15e2cfa74c3194111dcda0ee58fc7f7ea5

Download Submit
C:\Users\Admin\AppData\Local\TempPVLJN.txt

Filesize
163B

MD5
577f5996f783f890ba33c6040c10977c

SHA1
d1915aefdd08072f2e106d8b9542286c8a5fa759

SHA256
d08343b6b8202d4a4277e3a76d5aa1eccaf3280293107211fcd647cfc318679f

SHA512
a60567082ad8f9ba8e96752f664c270dac82056d1fc05720b3b9854994b19a1d2b2ac47a707140799a24ba08acd1f4e096821228f167c29855b111df26e4db1e

Download Submit
C:\Users\Admin\AppData\Local\TempQELFK.txt

Filesize
163B

MD5
69d73b2bd6f77b930b038d7c237fe5e9

SHA1
dcb34cfbff19afa867b6f41343585cb8949147d4

SHA256
6c3401be70c8e17d8d456689727f62b4c393c0b5043b8b6103d4639259e74cdc

SHA512
e6bd32b913026e5e33751417120b920030ca7a3e1500787f33fba7b80181a72eab597dc3383bf756387af08d5425a3d3f21890ae330d49023a1fdde90542e67d

Download Submit
C:\Users\Admin\AppData\Local\TempRLMVY.txt

Filesize
163B

MD5
6ea0c68023eeb9a86a147f4c2bbe4463

SHA1
4d39149baed3beebe671e8023bb6a2b4e1b91f34

SHA256
0619b7998b4cf8e7bedb8c609b0ad2f32b57d0907008446265c2c9c0014e908f

SHA512
8869ed74a225531c898c68bddf8e60da2f0abf4a023d632f7954c86ec6c3a81c0a156e0032a3cd21dca863ed7aa7b910d555b591697177851de257db0c68e5d0

Download Submit
C:\Users\Admin\AppData\Local\TempRQFOB.txt

Filesize
163B

MD5
a92b449e7043a2d7bc94e0fdbc7bc102

SHA1
f5b59994829c0976c3f6134665f8750c0641932d

SHA256
4df58a6814ce3dd5960994c85ed3fb8cfef4a82e078174cc2fd228f5a8913c67

SHA512
cbc241d91031c23f8ac7ba377d14dcc7ae0703a0a3ccd29abfb1281f5c91384a82a5601d26251a121c9ab028a4205cedd900ead498c549a42194e0f93e838433

Download Submit
C:\Users\Admin\AppData\Local\TempRYOMQ.txt

Filesize
163B

MD5
e696807db71f65d8a3b69b7677cbe49f

SHA1
14818de4632dd58ecf9de2beba29b22f406e825b

SHA256
537734086f6373d5220443421c5fa351c3dcc4b1e2d656641d5e1cfbbd817c15

SHA512
16d3c370e730d768997b78e98653d683d64f80cfd6b70aad08c8852a582e190cf47e14483e2c6c0375e71ca75e9a50fdb498075de5cd4589c78e0a7666926ed7

Download Submit
C:\Users\Admin\AppData\Local\TempUFEIV.txt

Filesize
163B

MD5
80fcdb7f0d083ecadec5420f5524c4df

SHA1
04f86b3afa07b6fbe7e2591bdb3799cc2e78750b

SHA256
743bbb4430056d2e432396ef2bdf38480b70afcd1ecbb099e087614bf01377fa

SHA512
7bb9b15afb6a60fe1a635d4eaa43e4dfbadf5580c2f4cc41f38cfed8b1c850a5a0391b647eefc3c4cb6b0936fc79f279e799d04df5b99c1acd32c97dbf80da04

Download Submit
C:\Users\Admin\AppData\Local\TempUPYPE.txt

Filesize
163B

MD5
e5c64e21857cb1515aa4e0909a84bf12

SHA1
421a7cd46da5cfcb8d2f6daea5d9a160afd8480a

SHA256
71d13c4c08aaa4805329d6749afff7d04725791179e51edd962176579a6a6585

SHA512
5d9b9aae2a73c788b8fa913060c654ff2a8676383c0ad82176ed231d064938668ae423ed4c5ee2f7e27ecfd3c10ffc1cef6ae99f2670b32d5315f527750ff6e8

Download Submit
C:\Users\Admin\AppData\Local\TempVHIFN.txt

Filesize
163B

MD5
f3d85b1490cc1409c6bfce0a010ae5f3

SHA1
b376eb0754003174f008dedfe3630f349fcc08af

SHA256
e5e0628933cbf4d42dd18f33809c3ed733a310c3b9f78215b2e90b3cd581cd2a

SHA512
c4746df7a565fca73690936004acb276c8354f3935525a50e2b690dce42224531a9b1133f25ca65eb1fb798cb9cb2d4e0edddc31489e4425ab06a8d6b22dbbf6

Download Submit
C:\Users\Admin\AppData\Local\TempWLXIH.txt

Filesize
163B

MD5
bed99924153a457f72a6257404261980

SHA1
a89ac11f99b22ee82e802d03bf71489fb1e7fcdb

SHA256
482906be9770e33010e13c0a43ce64a0b0b660c963c45372f9e73702f9dc4974

SHA512
8e500a1ff00a77c5dcb3c26d79e94c41b67d564ce62327733d6e4942157e7e6011e18d46f53c54bbf06e887e87e70863bee980e09bf244fa480b3ad06731f599

Download Submit
C:\Users\Admin\AppData\Local\TempXJGKF.txt

Filesize
163B

MD5
271339213f855c3ed4631e6c3895d70d

SHA1
da2e346a03afe50f27bc7fd7e8f64853be0a0de0

SHA256
5c7944d9ea1f7eb95cb93f77662d264e1460311bbfa8c3d2d3d060aba60deeaf

SHA512
cfaa38976ccbddb2096363ddfd6c8e278df4b00ccfab74f1c6e9e2fe695a9d451fdc80cf67aecb533a7d2344b4e9b3eabb13d3c6f62b82aa64c42ebda3b66d6c

Download Submit
C:\Users\Admin\AppData\Local\TempYDTMP.txt

Filesize
163B

MD5
2d2d83d37ff3193bc514581ccf74b94a

SHA1
55dcd71d6f2f837099aeead912ed1706f1cce512

SHA256
a0895f6480200d198ef3e3b08d8e029a682dbf013c184bb20c1661286d496182

SHA512
53dc28ee7d7932948fed3d6f1742283a4c56a1134c8a8c8ea0220da4d3395cd4f4a564f7084e8bbad9ad76811e3c6839b113ecd7355d69503f7318f97512a41f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe

Filesize
520KB

MD5
9ebea8e9fa4ceff841e2138016a28971

SHA1
0c5fa50e1c054fb9e282006dc0353ad5cc3fbddf

SHA256
1ebd50b13b68b0fcdbc18f65558d1a9b3462bf4c4efeccb25d224f5daa9cec2e

SHA512
2eb93e4d9a8a8b3a53affddfe6a0b14a606edf8b1417bcd97b412b177fba207ca7d7e73b5037ca94cfb2cfd95e237ab8f3549804aea96913b3cd6fa73a9300fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe

Filesize
520KB

MD5
eba0d7e395c489305975b9d3264d4f93

SHA1
969ed7f8b03faa8638628d200b1f9313b7f9434a

SHA256
34696129413665b7152961a11d13417f7030e44c908ca8cad5e0652292a1cb1d

SHA512
944c85eebcf31b61e821575497d96716a434c3e44ae23605dc34ecf8af4fbec2a4ed48e3d020569d5586fe3bf0d596cb0211c0681199b6afaae8303a853c5662

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe

Filesize
520KB

MD5
13fa19d9f7b6c16996592e8055584d8a

SHA1
f94a713725b368a2165404fcb1f0617cd3184052

SHA256
28fc8be54a039581e813c1815ed67cbe788272e4ef875e6d38517bf835efbbc1

SHA512
17e00b3cf52aee755dd3485892ccb207dd9360077e34b8ab04b88663393170cf6e7cb0dc54bad147beeb6e8ff135c573bc4e3890fd411303d362ef8e3cbeb575

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe

Filesize
520KB

MD5
a0a7d1d91970334a2c433c259ba23ec7

SHA1
0221349e59257fcf5b126ec940f9336eb457703d

SHA256
0639dfd4c9280b950f282503b9c4203c6f75cf53c05f06f8adf17282ecd961f9

SHA512
987f8e3dcefd8549de63f33cc33744fcc70f7df73cef3b8a8f72321e9379ae0e781d2344a924d8accd5cc918c48ae7f2c44cb8091d4eb9984552784390ad3912

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHFIYUVD\service.exe

Filesize
520KB

MD5
f9cbc85b7cfab9935f27f4348298f26f

SHA1
c895267f228549a6ed10c8273a8844a024e703bf

SHA256
33a62c0c07ad733a3b119e1d33c47194386efd6d615ee835cbf0fe7053a7b778

SHA512
8922509972b9bf071d6dc1508ebc459e9d3b8e97261fd6518b078bcd683798cc49310dc25ee41ac01dea0dd3e922f98aae1eeccf06b48dbe0b91ff54f9d674f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe

Filesize
520KB

MD5
a8d264b23459f1531dba7ba2b81691be

SHA1
acb6e4797b1f7f5a19a298f8a2e49583f59253fa

SHA256
5d106f30d3aadc37460a00c6effd709236e3285aba7fa7f3a7c29ba6767d543d

SHA512
3cfb50f482f5e6226e48b33dd26202d6b15624215e702b8ed0016fbab0c56832aca8392fd3e7bb8397125da9da4a6d90166426dd495763b81f651625285546ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe

Filesize
520KB

MD5
ce621da37c7248669c1e282e2b750801

SHA1
ffc3dad3575a1771e009398d4aa83bcfee57231b

SHA256
c78cf44004f30a9d606fb69e71f4a68a4f5a33ade3959a3a1110ba84d316acfe

SHA512
cc9ea97650554b4a537ce23eb33d3debfbdfad71e987bee53633b5306d2f290ab75bb6095dd08046f3c9553f859eb852fa00c6fdd49b65641989d94cac201988

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe

Filesize
520KB

MD5
08763f3515020b9fe1d87f9fd2e9565c

SHA1
dca0f1115096482e1760ec7b2f9d48dd779697ca

SHA256
2e6f44b62429dd430c385592a1e4f059b9342463ab83d5f348dca6eb5aa73342

SHA512
ad02b052f19aeedadb97a19684f34296b83877ff518a23c2f4ed0c20e07751162ebb0fc09619bc987d2cbea3e969f8ec267e7fd481c25ee20f08f194d33c6ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe

Filesize
520KB

MD5
2aa8ffdeebf5d2c2cf2ea7b9a4766a8c

SHA1
42470693adf60580d0a7ebf6d22d599c7755f4f9

SHA256
6f8cdf9e7be677b9128dd3398146c66f4b09340add400e904a92a6ac962625d4

SHA512
8764e1c4e4eb26caa667f02a8fa09c4a1982ef5409429cd32bd1d9e73e7a583b3661fc1b6aea9141de538353ca211cfc6d5ab13ae9ee6c96249e6cf7670e0b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe

Filesize
520KB

MD5
9269f9127b1b81fafa6a1875778cd135

SHA1
2c2e750b5ab340055aec3f0456992f8718b85c02

SHA256
ab6e1da05396f197bfea6e2012a1cbb147c6c40cc93c1bddd94930f750c99cd2

SHA512
3f99971b2a5c53b41e283411ac076a9243bde4954e7fe6dec86e173052c772c0391103f2d9e16892dc7cc7c88f5426a4a7d18bb28631086e00082d05993b9e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe

Filesize
520KB

MD5
24d9fc5ddd636cd87a83947685cda766

SHA1
c0b2ceee1db7e003fd52ec34816feff5b404be13

SHA256
ed97d9f8485a09ce09da76190e38d24040a0fbc9fbab1056fe59eafa87e56b0d

SHA512
38b6f433a0939ca053ba6694b6f5632e1b481cdba8bc730459a790e450d4e0175aa969d1ae0a94449eccc792b747fade5238d233d1f47d129e1450946f42bec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe

Filesize
520KB

MD5
820bd6a60c2e6424b83386af90f90c21

SHA1
2de6d6e80a83442fa3e7e2912011b679ed8fdd4a

SHA256
b4e9a9f53ac7156a884a7cef95f45d579833bdd815e030f8131368d27dbbef05

SHA512
cda51aaa38324127c2f35402ae0280b156c79c117c636862287da8d18bbdef428b54a0dc9f77481249ccc9d35c2c61789e80e96838e676fa731476f8c9710b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGWGOCBCXDTOCJD\service.exe

Filesize
520KB

MD5
05cb26281043dbdbe9116325e486bee6

SHA1
a62567b2894c29dcd4db24213ec35f98492bfad8

SHA256
05217c6cae68dac71cebfeda8f087bb3aab99c0256054839bb19b5caae1d53da

SHA512
6c10337e30db105e2cf5bd514b929ce8b843505575e88bd1f44ca7a5b03955c0bfc9f95d1022a088d030beb81afaa6f81225f0ec0eac64276071b262f5b7dd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe

Filesize
520KB

MD5
83d7431f8a60a9d23cb76d29b2f44ffd

SHA1
d4c3f189df79575acbe22e889a1e552ece6c62ff

SHA256
fe2b5dd3f6f4ad2fd69def49125f3b90a85763e87774b76215fdf1785892419f

SHA512
9f362b532c9c9ac4a968fd394927e9d5f5b68e7e09cc34b6beba43b33ad10ab5ca0480f3cef091298e9d45fd0ca6c9e76b3df3483eb71db1163a48729842eac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUKECJSJOGXOCMD\service.exe

Filesize
520KB

MD5
f2abed6f935ff240b9d6a2f087f71601

SHA1
54d086fc354a77871ac15966f29881402434633e

SHA256
9bec4ee43f64649240930e354e06d82abd0bc01c6f81e945db60fec5595e1b82

SHA512
116ea148e9df9aeeb31b03514f096d380f468067af5f1c07eab9f4e8f3ce55671feb9cf0786bada3e02d2ea0dfe9cb450a01fa14737b22cdec379e77b1c92f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe

Filesize
520KB

MD5
cfbfc08791a0fb19ade560b0943e91d2

SHA1
0e41d210bde733a936bbea44e1c4d709472ed2e8

SHA256
6bdfe3cb26db480c31fbced003315a3f90eadd0ff62d938be0aebf184f00e623

SHA512
1979182edb1f5a955230300932c50bf4b7744a375641424e25637da6160be3ad8553c749f36da693cdb33b62e3dff21db58b2ca989d06ed58ee1b6a2b66071fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe

Filesize
520KB

MD5
afd98c841688490441a27f9cb109146e

SHA1
55847e8bcab0bc6e89674b2788999ed7f2515694

SHA256
10d761f8ca394e4d08a3d49b496949debcb7d0adcf113945a69ff3314bd2a2b4

SHA512
24406aa4d416122d3fb05a55609ba04a0fca199e538b01012bde8a755a6b5d9f56d6b4e91f7f875fecc436c944b68e683a0af5cf36f6bef5b5c883ffba58eec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe

Filesize
520KB

MD5
4102df87e44bacad09252e37e813d9dd

SHA1
6f5b1c64206a280f9bf41a6286b7504806f29672

SHA256
51239577d36ec099d64a0bd2a6db8446feebff780462b03fc80da953272abb7c

SHA512
a4b6301429d4ef3b3cfe362011f625a22ccb8a198dd0da3a3bbee4770b7e776d721b55331917eef48c91de6476580966979e52f6b9068d93ed6c1f59e25e5711

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe

Filesize
520KB

MD5
96c82ea71e2dc84141dd62ebe74dce5c

SHA1
5b19e64400c346caca8520c5aa43943cf4c18664

SHA256
9bf349495d02924d182d5949f17bdefb156d249bfd624ea397d927bd7c6c8f00

SHA512
c26b65ddef6b9833d647a92b29f85af42e437533c499947574521b7a1d00406f24379d61fbbbe538f0d9e706cefe919cba6bdcdf305c268c7d0a69b1844692eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe

Filesize
520KB

MD5
a0309a7673ca50099521e6189dca5ecc

SHA1
b85c44c411616b7032d049d9791a98df186be7b4

SHA256
bbb0c75cc992ba2d46d753d6024190c4b63906b5b0add85b437b260630b65567

SHA512
af5fff6782d419958fdaf486fd61e85b9398df04748b4fdefb198ffb48b6c50365cdc9715b94144ab3ee64bee30c73322cde37250c22de9f6fe6079e4efbf903

Download Submit
C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.txt

Filesize
520KB

MD5
b68fcfd4cf0220c140439dfdbf4db443

SHA1
3ed8f2ee208dcd12d0a2b0601d730df33c3c95b5

SHA256
9531040589f8fdb76a9a2d7afc698bc875b442928d6e67109361de21ceeaa555

SHA512
9cbaf2e8669eb2b3cd6133978ae1727c2c031ca90e1439d6be8544bea49f6d41e27f2e55c664275489dc7071f02f65f424ae6f8eee098e1aee94f5cba1dfb8a2

Download Submit
memory/764-810-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/764-811-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/764-816-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/764-817-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/764-819-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/764-820-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/764-821-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/764-823-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/764-824-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/764-825-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/764-827-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads