blackshades | 7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
Size

520KB
MD5

45215ec7f8b8c4970d04c8aa7fe60c6d
SHA1

18c3f4806fe113ad86a062fb7bbb264c7faa6bed
SHA256

7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76
SHA512

b85585ee0a0fda99228e6b6fbd5cf9542182645ad20b9d71a0f9f507e6e279c3ca2d2f67dba0d0e43a2b4e9e9e04c518a126f8f0b4463aad28e0ba73f1d8e4cb
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXq:zW6ncoyqOp6IsTl/mXq

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 9 IoCs

resource	yara_rule
behavioral1/memory/2144-1026-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2144-1031-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2144-1032-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2144-1034-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2144-1035-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2144-1036-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2144-1038-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2144-1039-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2144-1040-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\VCUEQQRMLRNDQXH\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VCUEQQRMLRNDQXH\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 41 IoCs

pid	Process
2740	service.exe
2668	service.exe
2952	service.exe
1824	service.exe
1624	service.exe
1720	service.exe
1780	service.exe
692	service.exe
2396	service.exe
2096	service.exe
2360	service.exe
2844	service.exe
2100	service.exe
352	service.exe
612	service.exe
2588	service.exe
2284	service.exe
2460	service.exe
2620	service.exe
2656	service.exe
1560	service.exe
2244	service.exe
700	service.exe
2580	service.exe
908	service.exe
1632	service.exe
1684	service.exe
2004	service.exe
2724	service.exe
2960	service.exe
2348	service.exe
264	service.exe
1924	service.exe
2584	service.exe
2480	service.exe
1636	service.exe
1584	service.exe
2940	service.exe
2772	service.exe
2816	service.exe
2144	service.exe

Loads dropped DLL 64 IoCs

pid	Process
2572	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
2572	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
2740	service.exe
2740	service.exe
2668	service.exe
2668	service.exe
2952	service.exe
2952	service.exe
1824	service.exe
1824	service.exe
1624	service.exe
1624	service.exe
1720	service.exe
1720	service.exe
1780	service.exe
1780	service.exe
692	service.exe
692	service.exe
2396	service.exe
2396	service.exe
2096	service.exe
2096	service.exe
2360	service.exe
2360	service.exe
2844	service.exe
2844	service.exe
2100	service.exe
2100	service.exe
352	service.exe
352	service.exe
612	service.exe
612	service.exe
2588	service.exe
2588	service.exe
2284	service.exe
2284	service.exe
2460	service.exe
2460	service.exe
2620	service.exe
2620	service.exe
2656	service.exe
2656	service.exe
1560	service.exe
1560	service.exe
2244	service.exe
2244	service.exe
700	service.exe
700	service.exe
2580	service.exe
2580	service.exe
908	service.exe
908	service.exe
1632	service.exe
1632	service.exe
1684	service.exe
1684	service.exe
2004	service.exe
2004	service.exe
2724	service.exe
2724	service.exe
2960	service.exe
2960	service.exe
2348	service.exe
2348	service.exe

Adds Run key to start application 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\INJJVRPTOWLMELM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHDYSGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAIUVQORGUCKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEVNJEYOPMUHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MBLBWTSWJANJHXV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQCKBTLHCSLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FAWPUNDNHFIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQSNLODRYHTYI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJBSKGBVLMJREKP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\PBJASKGBRKLUXKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DVOTMCMGEHXTUCP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\AONHQXIEPIJSWXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMRYKAKEYCFVRS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\PGFQNMQDHDBRXPG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFBVQEL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNSOCPAXDVUQREK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPAXMLMIGNIYLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAITUQOQGTBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOLUGMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPDYKEJXGRYO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESOQUSVGLQDAPXP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\TYUIVGEJWXAKQXX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WDVFRRSNLSOERYI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPCYJEJYWGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQTSUGKPDAOXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\EPNLQDHCARWPFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KMYYCUSBVKYBGPG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\KJURQUILHFWUKKM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WONVKJKGELGWJRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFDHCKVAXSQTIWE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROWIP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCPFTPNSERUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANSKSGRH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\BNTYKIMHODEWUDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDTCKUQLFAFUVSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\FESIVRPUGAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLDJQBCPVMUJTJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\WAXLXIHLCNSLBBD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUUVQOVRGUCKB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\SECGBJUVRPRHVCL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYOPNVHO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\NREIECSYQHHJEAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LODWUDWMCIQHGRO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\BVWKXIGLYCMSKAA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YFXHTTUPOUQGTBK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\DFAAVQELGKYHSPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVTWHMREBQYQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\KEJYXFGRXOMQLTH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\BVWKXIGLYCMRYKA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YEXHTTUPNUQFTBK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MIIURPTOVKLDKLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFFGBGCXSFMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEMDVNJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYRWPFPJHKWXFS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\EPMLPCGCAQWOFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXCUSBVKYAGOF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\CXCPFTOMRERTOHK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYOIBGNWNSKSGQH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\SXTHUFEIVWJPWWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VCUEQQRMLRNDQXH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFDHCKVWSQSIWDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGBAPQOWIP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MBVRMAWHXCGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRQSEINAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\OJHJNUDPTEQBAYE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCQVHIFNGKBM\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\INJKVSQUPXLMELM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGGHCAHDYTGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\TSWJANJHXVMMOJC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOEPIGJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\YEWVRSFLSSDWWLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGNR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\JNKKWSQUPXLNFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHGIDBIDYTHO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUSXKAOKHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RTJDBIRINFWNBLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEYAVQDKFKXGSYP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUTVHLQEBPXP\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1148	reg.exe
1676	reg.exe
780	reg.exe
1612	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2144	service.exe
Token: SeCreateTokenPrivilege	2144	service.exe
Token: SeAssignPrimaryTokenPrivilege	2144	service.exe
Token: SeLockMemoryPrivilege	2144	service.exe
Token: SeIncreaseQuotaPrivilege	2144	service.exe
Token: SeMachineAccountPrivilege	2144	service.exe
Token: SeTcbPrivilege	2144	service.exe
Token: SeSecurityPrivilege	2144	service.exe
Token: SeTakeOwnershipPrivilege	2144	service.exe
Token: SeLoadDriverPrivilege	2144	service.exe
Token: SeSystemProfilePrivilege	2144	service.exe
Token: SeSystemtimePrivilege	2144	service.exe
Token: SeProfSingleProcessPrivilege	2144	service.exe
Token: SeIncBasePriorityPrivilege	2144	service.exe
Token: SeCreatePagefilePrivilege	2144	service.exe
Token: SeCreatePermanentPrivilege	2144	service.exe
Token: SeBackupPrivilege	2144	service.exe
Token: SeRestorePrivilege	2144	service.exe
Token: SeShutdownPrivilege	2144	service.exe
Token: SeDebugPrivilege	2144	service.exe
Token: SeAuditPrivilege	2144	service.exe
Token: SeSystemEnvironmentPrivilege	2144	service.exe
Token: SeChangeNotifyPrivilege	2144	service.exe
Token: SeRemoteShutdownPrivilege	2144	service.exe
Token: SeUndockPrivilege	2144	service.exe
Token: SeSyncAgentPrivilege	2144	service.exe
Token: SeEnableDelegationPrivilege	2144	service.exe
Token: SeManageVolumePrivilege	2144	service.exe
Token: SeImpersonatePrivilege	2144	service.exe
Token: SeCreateGlobalPrivilege	2144	service.exe
Token: 31	2144	service.exe
Token: 32	2144	service.exe
Token: 33	2144	service.exe
Token: 34	2144	service.exe
Token: 35	2144	service.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
2572	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
2740	service.exe
2668	service.exe
2952	service.exe
1824	service.exe
1624	service.exe
1720	service.exe
1780	service.exe
692	service.exe
2396	service.exe
2096	service.exe
2360	service.exe
2844	service.exe
2100	service.exe
352	service.exe
612	service.exe
2588	service.exe
2284	service.exe
2460	service.exe
2620	service.exe
2656	service.exe
1560	service.exe
2244	service.exe
700	service.exe
2580	service.exe
908	service.exe
1632	service.exe
1684	service.exe
2004	service.exe
2724	service.exe
2960	service.exe
2348	service.exe
264	service.exe
1924	service.exe
2584	service.exe
2480	service.exe
1636	service.exe
1584	service.exe
2940	service.exe
2772	service.exe
2816	service.exe
2144	service.exe
2144	service.exe
2144	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2008	2572	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	30
PID 2572 wrote to memory of 2008	2572	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	30
PID 2572 wrote to memory of 2008	2572	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	30
PID 2572 wrote to memory of 2008	2572	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	30
PID 2008 wrote to memory of 2704	2008	cmd.exe	32
PID 2008 wrote to memory of 2704	2008	cmd.exe	32
PID 2008 wrote to memory of 2704	2008	cmd.exe	32
PID 2008 wrote to memory of 2704	2008	cmd.exe	32
PID 2572 wrote to memory of 2740	2572	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	33
PID 2572 wrote to memory of 2740	2572	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	33
PID 2572 wrote to memory of 2740	2572	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	33
PID 2572 wrote to memory of 2740	2572	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	33
PID 2740 wrote to memory of 2772	2740	service.exe	34
PID 2740 wrote to memory of 2772	2740	service.exe	34
PID 2740 wrote to memory of 2772	2740	service.exe	34
PID 2740 wrote to memory of 2772	2740	service.exe	34
PID 2772 wrote to memory of 2836	2772	cmd.exe	36
PID 2772 wrote to memory of 2836	2772	cmd.exe	36
PID 2772 wrote to memory of 2836	2772	cmd.exe	36
PID 2772 wrote to memory of 2836	2772	cmd.exe	36
PID 2740 wrote to memory of 2668	2740	service.exe	37
PID 2740 wrote to memory of 2668	2740	service.exe	37
PID 2740 wrote to memory of 2668	2740	service.exe	37
PID 2740 wrote to memory of 2668	2740	service.exe	37
PID 2668 wrote to memory of 2144	2668	service.exe	38
PID 2668 wrote to memory of 2144	2668	service.exe	38
PID 2668 wrote to memory of 2144	2668	service.exe	38
PID 2668 wrote to memory of 2144	2668	service.exe	38
PID 2144 wrote to memory of 1032	2144	cmd.exe	40
PID 2144 wrote to memory of 1032	2144	cmd.exe	40
PID 2144 wrote to memory of 1032	2144	cmd.exe	40
PID 2144 wrote to memory of 1032	2144	cmd.exe	40
PID 2668 wrote to memory of 2952	2668	service.exe	41
PID 2668 wrote to memory of 2952	2668	service.exe	41
PID 2668 wrote to memory of 2952	2668	service.exe	41
PID 2668 wrote to memory of 2952	2668	service.exe	41
PID 2952 wrote to memory of 3020	2952	service.exe	42
PID 2952 wrote to memory of 3020	2952	service.exe	42
PID 2952 wrote to memory of 3020	2952	service.exe	42
PID 2952 wrote to memory of 3020	2952	service.exe	42
PID 3020 wrote to memory of 1560	3020	cmd.exe	44
PID 3020 wrote to memory of 1560	3020	cmd.exe	44
PID 3020 wrote to memory of 1560	3020	cmd.exe	44
PID 3020 wrote to memory of 1560	3020	cmd.exe	44
PID 2952 wrote to memory of 1824	2952	service.exe	45
PID 2952 wrote to memory of 1824	2952	service.exe	45
PID 2952 wrote to memory of 1824	2952	service.exe	45
PID 2952 wrote to memory of 1824	2952	service.exe	45
PID 1824 wrote to memory of 2316	1824	service.exe	46
PID 1824 wrote to memory of 2316	1824	service.exe	46
PID 1824 wrote to memory of 2316	1824	service.exe	46
PID 1824 wrote to memory of 2316	1824	service.exe	46
PID 2316 wrote to memory of 992	2316	cmd.exe	48
PID 2316 wrote to memory of 992	2316	cmd.exe	48
PID 2316 wrote to memory of 992	2316	cmd.exe	48
PID 2316 wrote to memory of 992	2316	cmd.exe	48
PID 1824 wrote to memory of 1624	1824	service.exe	49
PID 1824 wrote to memory of 1624	1824	service.exe	49
PID 1824 wrote to memory of 1624	1824	service.exe	49
PID 1824 wrote to memory of 1624	1824	service.exe	49
PID 1624 wrote to memory of 636	1624	service.exe	50
PID 1624 wrote to memory of 636	1624	service.exe	50
PID 1624 wrote to memory of 636	1624	service.exe	50
PID 1624 wrote to memory of 636	1624	service.exe	50

C:\Users\Admin\AppData\Local\Temp\7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
"C:\Users\Admin\AppData\Local\Temp\7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempIACQM.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIVGEJWXAKQXX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2704
- C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe
  "C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempPYPEN.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIIURPTOVKLDKLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:2836
- - C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe
    "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SEMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:1032
  - - C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe
      "C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMDYBN.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3020
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVAXSQTIWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:1560
    - - C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:992
      - C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIRDJO.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PBJASKGBRKLUXKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVQQFO.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INJKVSQUPXLMELM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMVREC.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPFTPNSERUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNOYTA.bat" "
        10⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCJWES.bat" "
        11⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPMLPCGCAQWOFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXCUSBVKYAGOF\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\JMYXCUSBVKYAGOF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JMYXCUSBVKYAGOF\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUQQFN.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INJJVRPTOWLMELM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDYSGN\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDYSGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDYSGN\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWLXIH.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAIUVQORGUCKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDXBNK.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVWSQSIWDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQOWIP\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQOWIP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQOWIP\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFTBON.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WAXLXIHLCNSLBBD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKB\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKB\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFGPLY.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSWJANJHXVMMOJC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJHPBH.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AONHQXIEPIJSWXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHGTAX.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YEWVRSFLSSDWWLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVRQFO.bat" "
        19⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JNKKWSQUPXLNFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXNIRI.bat" "
        20⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYKIMHODEWUDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCWAMY.bat" "
        21⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SECGBJUVRPRHVCL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "
        22⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIECSYQHHJEAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMMOJC.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBLBWTSWJANJHXV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGIDAK.bat" "
        24⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PGFQNMQDHDBRXPG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBVQEL\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBVQEL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBVQEL\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPVLJN.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAWHXCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe" /f
        26⤵
        Adds Run key to start application
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCFHQM.bat" "
        26⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSXKAOKHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RTJDBIRINFWNBLC\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\RTJDBIRINFWNBLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RTJDBIRINFWNBLC\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCESAO.bat" "
        27⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVWKXIGLYCMSKAA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe" /f
        28⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "
        28⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DFAAVQELGKYHSPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "
        29⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OJHJNUDPTEQBAYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCAJXF.bat" "
        30⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPNLQDHCARWPFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRRCVV.bat" "
        31⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNSOCPAXDVUQREK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMQLTI.bat" "
        32⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEYAVQDKFKXGSYP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQEBPXP\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQEBPXP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQEBPXP\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVLXIH.bat" "
        33⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGTBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIBIIR.bat" "
        34⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KEJYXFGRXOMQLTH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe" /f
        35⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempACESA.bat" "
        35⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVWKXIGLYCMRYKA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBK\service.exe" /f
        36⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBK\service.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHADEO.bat" "
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KJURQUILHFWUKKM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe"
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMKSEK.bat" "
        37⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKBTLHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe" /f
        38⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CXCPFTOMRERTOHK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYOIBGNWNSKSGQH\service.exe" /f
        39⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\VYOIBGNWNSKSGQH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VYOIBGNWNSKSGQH\service.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIW.bat" "
        39⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQSNLODRYHTYI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe" /f
        40⤵
        Adds Run key to start application
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMQLTH.bat" "
        40⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPDYKEJXGRYO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe" /f
        41⤵
        Adds Run key to start application
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe"
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBPYLK.bat" "
        41⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXTHUFEIVWJPWWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VCUEQQRMLRNDQXH\service.exe" /f
        42⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\VCUEQQRMLRNDQXH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VCUEQQRMLRNDQXH\service.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\VCUEQQRMLRNDQXH\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\VCUEQQRMLRNDQXH\service.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        43⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        44⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\VCUEQQRMLRNDQXH\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VCUEQQRMLRNDQXH\service.exe:*:Enabled:Windows Messanger" /f
        43⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\VCUEQQRMLRNDQXH\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VCUEQQRMLRNDQXH\service.exe:*:Enabled:Windows Messanger" /f
        44⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        44⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        43⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        44⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempACESA.bat

Filesize
163B

MD5
2a28d3eb244de60a40c4fd3612ab8c71

SHA1
bf705208da5e11170daed7c38869ec3416defc40

SHA256
6144e661320f24b4bf026af8b513273d6313fbf0ac21dc86a40031e30107a93f

SHA512
132127b030c84c266d3fce7c0b8589aae5612764a98a5198e271d8d984df91a30e174ca840071da364fcf2f2661deb03b1429981633cd3fa522f8f9c7f798373

Download Submit
C:\Users\Admin\AppData\Local\TempBPYLK.bat

Filesize
163B

MD5
3432dc8be3e333fb31a13628ddaadd54

SHA1
071b2d1404912811f9385dcec4204252b2ba1084

SHA256
fc6c3426aeb285aafe8351433842032f34f85448496e84de7d7e8eec49dcd2bf

SHA512
49beabe16a68ee59cda4f1d1a8477518daa4bd576a8c963477737afe448189acb9474a5883ae0532343521d65f491c2e5a97b1d7db6e3823f8e601a0f959db09

Download Submit
C:\Users\Admin\AppData\Local\TempCAJXF.bat

Filesize
163B

MD5
c68c3e5a50a38742641912ee2aab7548

SHA1
2fd2fa74689e2c4c479a4a42e9286c6076d2fc50

SHA256
ecf01c5255d39db0b77f5312c81a9d6a2bc05edf6a3c82dcb5313b5137a046a1

SHA512
82aaf3be7b05c10d9e09ade098ca51cdb486ec5585f2f3d8ebf0eced5b5e557a4cc444043ba91d0b6ebb132caa405ab074b987c0c71977c0f9d8ed3551981d67

Download Submit
C:\Users\Admin\AppData\Local\TempCESAO.bat

Filesize
163B

MD5
4c9dcd2370d9eb212d680bf1a42b6a62

SHA1
1e2c22e2b5fd6ee096038e19b8387cda8b628c60

SHA256
00b6bfcfef3a406558b7d39b932b4526bc34ac529fdbd05c370f6453f07e1c41

SHA512
fe1cb950343e6ecd8ad6677c6c417e3b962815eef7ccb6eca0a2c241c757b9a13ca21fb01ab83cfccfe64700d57527acaa7614058a8aad617683c96ec76d2430

Download Submit
C:\Users\Admin\AppData\Local\TempCFHQM.bat

Filesize
163B

MD5
239eefbaf454ce3171eb75aa104a7a8f

SHA1
50893d5e37d59ad3eefcba0a9e1ba21e577eec57

SHA256
42a5cd25a77b02f06eb1ae7a34748b049a79133c66d759506d97042a453c213a

SHA512
de14c047d07056c963f2ba149e747ccf5e0a2bbd14ed0fc999a9d66c4000f765ccfaa191825d6dfd4aaffe8536612ef7aac7a521a7f0904bf061151983d4711b

Download Submit
C:\Users\Admin\AppData\Local\TempCJWES.bat

Filesize
163B

MD5
c50d79b236fc07a5a145d77ae9d6ba1f

SHA1
fb4ee16bd4641bd879c679df28186a614df8418b

SHA256
f0769ec766bcc17df668ea2f6120d352b890dacee247b7e951db4b102f2bcb54

SHA512
131fee614987ab4762d752f5dc8708a90d9686d8e6375e95bd92a7ff316fb48d919f1f6f51bd1a45072d3d4d5f6a11691df8deef3978401b54c5fad25bd0d579

Download Submit
C:\Users\Admin\AppData\Local\TempCWAMY.bat

Filesize
163B

MD5
1cd39d2f28bdc0e35e059bd9a929c777

SHA1
e0f0451e82611dc51329c2cc1213543133393057

SHA256
4af301a83cc0fea0bc0e6a4abd8d1a0b066d987fb79c9c58ffa225a3813236b0

SHA512
640b1bcd0f4c14b7eda5086448d19042cdfc4284752da5ecc7c99d417db5230201b6260f06a0067396d4389ea390f8f20e7a56788cde2587fbe11ee37546e12b

Download Submit
C:\Users\Admin\AppData\Local\TempDXBNK.bat

Filesize
163B

MD5
914bec3269045c21b77e0ad692dafe2e

SHA1
d85849dcac6fdb8381e8efcb36a21a2655b2a7bd

SHA256
fd91a9f70066074bc3a3b07920875adf29331599b8fd493a1b80f345664f8640

SHA512
ff95ad7c3a3386fd23ce4fd79e9e3064c6e4c47f78cb909dfffe9d5020a236180deb3e5629764a44539f8cc2624ca7047e4ef1f0ca7ddd20a45591eed38aa428

Download Submit
C:\Users\Admin\AppData\Local\TempFGPLY.bat

Filesize
163B

MD5
c731957bd0f5ab55a17a70d5d2a613fb

SHA1
dc27ef43866ac519da3be39054cbf1e317c3096a

SHA256
d5c333b19415937e0fa00d27b12d0cb54289adbd5a1c7b89ed99b5893cbe3b58

SHA512
a3ab9c3f12b60ef7055630fb964bff6ff34097735a820562d964e03fa2fe301ccfc02a0ce77770149a9f177b7362eb15982bd5a44d30f23f504a6d6ddece9aca

Download Submit
C:\Users\Admin\AppData\Local\TempFTBON.bat

Filesize
163B

MD5
d3bf12dcf3fd84d6bc32c940cdabef6d

SHA1
c1fed0b2b56f493aedaf32524864a31d09e18e21

SHA256
2dcc25820295d82e1f5475159d409cd5292f77d23611e62019a617bb447bdebd

SHA512
c57bb72b0ce39ce5cc0d01ebd90351ab718b2d5a4c07fcd3cb624603d4c87fd6ed25d470f5eb8602bdfef3c20d2b48d3fcd37aeae808050930aa352e4a7301d9

Download Submit
C:\Users\Admin\AppData\Local\TempGIDAK.bat

Filesize
163B

MD5
3f087c8a20b469c931e2e47b617e4059

SHA1
106034b6aa0dd211f1b8ad36cbb90c878ed050ac

SHA256
3f9e76718cd8515f3ca9507e4d0c42ee4aec018bc11a81d28823346b263c63fb

SHA512
851adbbb78ffdc74325a7c2ea2bf3980e9858193dc92cb8d853aace1efe94bfdf3ff5072b5d1aaf8fe8b97c006760f99d9bdbe81a3d7e147fe8875ef6fc9c23e

Download Submit
C:\Users\Admin\AppData\Local\TempHADEO.bat

Filesize
163B

MD5
830843c0b5c1d48007e7e916c170a309

SHA1
cfe23022254591ddb235267a9e74c6c464b4b083

SHA256
b13965fdae4bc387e79834c69d5a09defa676f82d2c8b0fe51c7bac67afe68c1

SHA512
6721895fa40e9d8ad4594f3590cbc5b0b3b5e04cff64ef06ca0f4f47b2841eb2f2f3f05576f3f2e4a6695f9c4a5b6e0f544203fe8b11202e568c1e292f092674

Download Submit
C:\Users\Admin\AppData\Local\TempHGTAX.bat

Filesize
163B

MD5
9604c0405f7ea5f212dd5f2e1060181a

SHA1
0d76c338f7f12970ccf1919cac3804cb763c1bd3

SHA256
b263b480b2619b9faf6ffe0e4e0bc1e6c80c6489093214caaeb01c30ca16281c

SHA512
0cea687e9bbb9fd52c235362b7a3c7ea2c4213dc3af46729719edcffa796d92c696b79690c8a97e02b6956b9f0925997f1a3993bf4ddf211fcfeaeb2b5865490

Download Submit
C:\Users\Admin\AppData\Local\TempIACQM.bat

Filesize
163B

MD5
9fe31522e32686d96aa4b7f746e43622

SHA1
eb58bb76f771b5113e0cd148c3f708dd5544bb28

SHA256
3409ec305bc11e703108de450fd3ecb5593ddaeef8f099d0ea7d065310c19a6e

SHA512
6966491fbbbb745f6d21cfc8a8717902cab3e448009722c51984162e202e6feda31d5dd4f0211bf5bfdebedc20a1135b24af227d2788ccf3342953cfb98c5a47

Download Submit
C:\Users\Admin\AppData\Local\TempIBIIR.bat

Filesize
163B

MD5
12b6ffe9ba34338927518941b130a95e

SHA1
575e7b61f5f2517349657a4d369bf767f2d098f0

SHA256
215740b235de9250b762298c5dd880ded388520d7ad9d8186c4d6d82aed1d56e

SHA512
b05ec15cd0796ed08bff138fe4ac3d886f6fc3bfe9c64549f46b9e20d4387a595477161f3d20a19422af3c74bcbd5767f3cbdbccf13250d15dfe2ee925415031

Download Submit
C:\Users\Admin\AppData\Local\TempIRDJO.bat

Filesize
163B

MD5
2f862968031e33678a88f2721ca60fe4

SHA1
eb9b36d5d7dbf37df95e68eb7f96a9851d677ca4

SHA256
e2782e5da22d51f2f8113104c8eb4eb46ceaf5b8f1174db2a0e208411d40c71e

SHA512
6d4273685b4801dc79d6b9f83a3cff53214f469fc7272a1c49a49ba6cc518e1aef20b31ee28c93c37be6d6356b04a0c8d32266ee34e565345b9a25ac75486f99

Download Submit
C:\Users\Admin\AppData\Local\TempJHPBH.bat

Filesize
163B

MD5
00b7af44531088a30a6650987a99ac2e

SHA1
7a862f2ac92c365d7aa9372c89dcce37bcf35510

SHA256
31cc9867679c60f20a00e3e5d05d20dc63a7b0e915a1889fb153195164c4fe65

SHA512
d50df0c790741e63dfdb7baa4b59a3133c3f8ab8e699fe34e016d871aab54e3c7947a5693aaed48e19ba4d2ab313c17460d9c6eee5a1c003214a2a3946f2b722

Download Submit
C:\Users\Admin\AppData\Local\TempKYGUT.bat

Filesize
163B

MD5
1c95cf0a551ea20f4178aae177d34802

SHA1
20066dae2ed26163ec9a8a4ce88b7ef4aa99bb1a

SHA256
8aee5c73502e5e832cecf66dc66a0831d219c4decb1f3d9197255ab59fe7fe48

SHA512
82f0fa523d17a176fa6d2946bec85f424fd784766ebcc0ba730a4ac2ca6aa536c3afa8a7803cbc1868a8d26b6c41af3c3f3f070a64a76066b5e15332f74cb11c

Download Submit
C:\Users\Admin\AppData\Local\TempMDYBN.bat

Filesize
163B

MD5
0ac8ba102232c07a61f7c9405af32b7c

SHA1
5b9c87c8d6fdd893d6f87cddfdaabc46a632dc98

SHA256
3040787c0fed99fdbc6164d23968626c009f31f76f7a139e17692c9257ee8f20

SHA512
688c61baae71b0a6f2f8560d99afd39661d6b968c528908abd30cbed362142ffa33d386e8f258c3dfdda0c5c881524e81b4b91bf1595c9dea28b7b22cdc6981d

Download Submit
C:\Users\Admin\AppData\Local\TempMKSEK.bat

Filesize
163B

MD5
8c3e946e8ac48d8b12067190c4d6b718

SHA1
9788394d97f10f265993cf1cbbdce41768c6055d

SHA256
42ef5bf41451b0ed7407136a8dad8ab996c811ea7ca3c0b365b3377704a997c5

SHA512
cd4a4ef343585c3b373600bf80c599b6709a920b9a1e0f7b4a6365f2806a4d3ed8fdabb70e6ae8a42759f552676e47f4623583e64936ad4fd1a525fa7c4c2679

Download Submit
C:\Users\Admin\AppData\Local\TempMMOJC.bat

Filesize
163B

MD5
7c3189e67801319eef05ab82ea9e3997

SHA1
b4ea826beb695e1fd22c62918b3ece96a58c3d6c

SHA256
8e56f5e100c7b65ad868358fdd77e2aeccbf6c6f2397ac378d367e9a85e0f9be

SHA512
529473b8cfcd8ed1b2c9451971feb33dd660b52696351515ba0854938d99245f3dc8986d29279c82c1d069450ffd0b92cd3365b35d9c30f5aa8b910e00c61e4d

Download Submit
C:\Users\Admin\AppData\Local\TempMQLTH.bat

Filesize
163B

MD5
132d99bd9fe3ff7634e8d036f664bb2c

SHA1
69afb8e482599e8b360fcc0aade71224f5a3c1d8

SHA256
4c53b53588f7047490fde9a58c2e44691d59744746ed638cb54739ff654f6bf0

SHA512
c8ab0cecfc18665b884d79c30763bc766f6c2b03c0f90a86e3e0e6ad5ba526891916a170fa72e23aea37ca640b8532990f30f3c6712d6ee1dd7e9e1bb9db2a2a

Download Submit
C:\Users\Admin\AppData\Local\TempMQLTI.bat

Filesize
163B

MD5
ef54da359e79fc21f31738c3665fb988

SHA1
50e610cf206885396ada579d441b26e84158e82e

SHA256
83c0b7045ebd2f6da13c86f80815782e71fbfcfc87e0209ad591bd4326d5dfaa

SHA512
01b1b971e7820387f8c1ad0d6d90cc92d85310f91cf3f69f952f3d66542f45bc477fb1b0fdc09f5f6f63d2bc71ebeb7e98909546d60a3c1ce654c73ce9367813

Download Submit
C:\Users\Admin\AppData\Local\TempMVREB.bat

Filesize
163B

MD5
abf690e164624393c1ecd73a68b37838

SHA1
ca1889540908da3e0d10057c1eff7707d47fd8e5

SHA256
7630111c6a201dc176c6280a768fbf8d398ed9c2c583bf64e2ea9e820a6a9ffa

SHA512
fdfe4b2613cd43509316ee13d2e8ae9f923f5029d296e8c776e6a919a1d57dbbd53219f356b85cb8c4173ecd9d8ab33142ef8b6c73a3d72da195c18b82d81b6e

Download Submit
C:\Users\Admin\AppData\Local\TempMVREC.bat

Filesize
163B

MD5
6edac9d3462022d02e120279da89ddaf

SHA1
f278c52733191d69d88dbe1df8b6a02a93ba3fea

SHA256
22ab5108adb550ada184626694ebf822a31cb5f87674570ffb6ae03af94fa1bc

SHA512
ac9a38118f86ff136674e058c047c65089df3f0029a4226e3031a41b31a8ed17b1b82bb1abf51abfe993eca6ad044ce249016b435891c4674d1e924517ed110b

Download Submit
C:\Users\Admin\AppData\Local\TempNOYTA.bat

Filesize
163B

MD5
954308906078f9e09c3ff65de31927e8

SHA1
0b3af553e5b0acd913b6acaa2ed4248c2d1ffbd0

SHA256
0c4b5ce6bd0f3f0430629bb565c1be8ff35e4c43a41537584f208111e917c3ad

SHA512
e7aead48359b5ef9b479865bb16fc8a5ab5fb34c15653cd30bd221b6eba11bb4ad3cc05404b2942c4363681504669a8d2c8c4fb9cfac785c6dc674315fa4fe84

Download Submit
C:\Users\Admin\AppData\Local\TempOMQLT.bat

Filesize
163B

MD5
b217cd93f39c76822c7d59441e2bf72d

SHA1
b74743485601810ac45731f8ef0ccc2e3a1f6e08

SHA256
72ff7221c084a4507b65f996ba9e40a2237cd9ce008748e9383baa25ac9d5f53

SHA512
193521f7f1e1c0257c63db0eedbdcd7737f295107be6e7da3fd61685fd86a0f8f593c268a575342623a24bec0682b1b33a0d25514c73db45761ce9d7f911f4c1

Download Submit
C:\Users\Admin\AppData\Local\TempPVLJN.bat

Filesize
163B

MD5
577f5996f783f890ba33c6040c10977c

SHA1
d1915aefdd08072f2e106d8b9542286c8a5fa759

SHA256
d08343b6b8202d4a4277e3a76d5aa1eccaf3280293107211fcd647cfc318679f

SHA512
a60567082ad8f9ba8e96752f664c270dac82056d1fc05720b3b9854994b19a1d2b2ac47a707140799a24ba08acd1f4e096821228f167c29855b111df26e4db1e

Download Submit
C:\Users\Admin\AppData\Local\TempPYPEN.bat

Filesize
163B

MD5
55bd3a47e06c4e9b33e178babb5bd08d

SHA1
7a9be0964f4a0089321addbc9e7fbb972e6a46cc

SHA256
9ad24f852571b6c8ef215cd87bf67cbfdcb04a008cc896d9bf5cb6c8837b71ad

SHA512
5e07900f2a170912ca5b831d4eca63272a2858ab8b4a0b349077d44da12ddcb407985c75e22a1e3b8de0dc834127db35b092c6f329016c581a6f2fc3d5d80ad0

Download Submit
C:\Users\Admin\AppData\Local\TempRMUIJ.bat

Filesize
163B

MD5
147e4d1d539a94905cb7c743e7ce250d

SHA1
c4482b9bd941acb6cafce333fa98e369c1828b07

SHA256
28407de893ee67378931d1cf84a2756d085d2efa04de7ba161b4acfac9242417

SHA512
9f81a01713c2d2d2d23f6692a1a720ebfe71f8ddc15b2e98bcffb70e2e984cd174cb5144fe43c540a47955c9c4e3afac30d0406f2596ecdcca56145366e0f935

Download Submit
C:\Users\Admin\AppData\Local\TempRRCVV.bat

Filesize
163B

MD5
6fd117f208423d249769655802c3be2a

SHA1
3ee3d49980f8c042989a99b98355f141a34f194a

SHA256
1c2ba2205211bd08851020aa7e4e858f766c23cd1f7a9edfc88aac533f454f7b

SHA512
9e2eddfb57523bd138b73dd4f3a59912f0727be0e5fb6141f7532c94478083aba7f102e5d4afbc6a098b7c6bf6ff1006a4d69a875287c985cae87c54e5b4235c

Download Submit
C:\Users\Admin\AppData\Local\TempUFEIW.bat

Filesize
163B

MD5
8d0ae0f07df5eca2edb697dd95a3edc6

SHA1
96d06c39c3551fe919430d0f4515c383f6ba10c8

SHA256
98eb42242270c3123b20f84c41a7e55d6425e626f95bbca3ace02523ecfab403

SHA512
a1531b319b3e33a06e09d591f04779bf91e827b0bef7eeec4984a185903569713a880cdab9343acbf95f1565ee933d5a62e79d455fa9295eed705b2776353c1a

Download Submit
C:\Users\Admin\AppData\Local\TempUGMRD.bat

Filesize
163B

MD5
ac925826b0b8f1ddb98b1da4ff70ef3b

SHA1
0d1b92e0cc4b6bd2b0f2724e1881ee403ec45d3d

SHA256
2b80898fa01a26ad6a62c25ae716d0c70df6a85fa80ae949f22bc8337ab28eb8

SHA512
d3e9066723291bedc356a2d5b12f4cacf7317826ed248ecb5d1d737907b05c5932475565d3eb760f6da546c88042813023ba4a5d8b214985ea42714aa590244b

Download Submit
C:\Users\Admin\AppData\Local\TempUQQFN.bat

Filesize
163B

MD5
bd4f58b633b92528b5f7e642725fceb2

SHA1
a426268d778ab345229a5fec099619050f92e181

SHA256
92f96c0053d3102fa41abf9ffcf7e292f2951f5d25b5e53c702696d651898561

SHA512
19a0e96b79ff9c91f02f4f382223b74dbe5e497e06e4e58e0f7a058e000c0e1af07789b5e1b88ee70281d8f5c9ea4a140162102562f6c9fe0dc0fc47b7eaff26

Download Submit
C:\Users\Admin\AppData\Local\TempVLXIH.bat

Filesize
163B

MD5
1d04dcf7878702fd18d7e6ed7562894e

SHA1
7eb33af482be5164ce41ef0314274bdb945898f7

SHA256
12fac302f2e1efc661afc1594b5e5ab31298e3ac7cca736909610a7d48203890

SHA512
90194afa6724fd1ffe21cda8776505cc7b5457813b0bfd230f5679d75de2477e28d2491956e19588c55d4f97da897a8ef687290a0e8077ee130fce7696df5c42

Download Submit
C:\Users\Admin\AppData\Local\TempVQQFO.bat

Filesize
163B

MD5
0d7ee6c9335600ff283e6c3556a9761d

SHA1
0aca254bf63f47db664827f53deee2b2cc6ee010

SHA256
0036d95d3c4b94f1b46d35e6eaca10da20170c21a525b7c84dd1c2fe0b0d9cba

SHA512
6688d8cfa9a29597c2e0a34bc43053fee01e1cb28c96c1d6cb49f67e6735cf85dd7afc534849a3822f828e5ed3455180100ba08a12f0841efca1fd0c2f6c53dd

Download Submit
C:\Users\Admin\AppData\Local\TempVRQFO.bat

Filesize
163B

MD5
b4884fa88aecad738e4f70a6df7c5442

SHA1
896ee53454e23fe6250ff107db15675c733c2458

SHA256
30b1803e2d106a97c62d74f5f1290e0637bdafb5743515bdb7a5787523691cc4

SHA512
d95c13394aa5aee5f3ea07e07b7a525b6b6e7be83170fcca6a4aaff8c3e45bfe7f2b899bd6bc102b8d9444c7b0cd3ccd491f408bd9ab4bc8097e14e379d85572

Download Submit
C:\Users\Admin\AppData\Local\TempWLXIH.bat

Filesize
163B

MD5
bed99924153a457f72a6257404261980

SHA1
a89ac11f99b22ee82e802d03bf71489fb1e7fcdb

SHA256
482906be9770e33010e13c0a43ce64a0b0b660c963c45372f9e73702f9dc4974

SHA512
8e500a1ff00a77c5dcb3c26d79e94c41b67d564ce62327733d6e4942157e7e6011e18d46f53c54bbf06e887e87e70863bee980e09bf244fa480b3ad06731f599

Download Submit
C:\Users\Admin\AppData\Local\TempWVRSS.bat

Filesize
163B

MD5
f7c2b529214710d2bba1b9dac4bdcef8

SHA1
0341723ce1dc588132281d460b672d26556c9c99

SHA256
71600a0cf16a5798f7590d1088d945259ddf2dc2548b5b04825a70066f685691

SHA512
c0d55e5894c48b924681a5c4d5d7adde5a4f3b3caac8decf33e4cc604c41cedfac18e4d6174442b98aa590327492851a054cb291371b425c2b45f14c40ca4f2c

Download Submit
C:\Users\Admin\AppData\Local\TempXNIRI.bat

Filesize
163B

MD5
493091b723f1019cd21d7ce77b87803c

SHA1
461c027f7380e8016c9b5171d1c4902d3701caa6

SHA256
469cb83f54c0fa8390f132a90b71b4489ab9b004fb3ce7677f3b381c44c22a8c

SHA512
418bf2ef52d92ca29f7c010ea6f5993a93a4f9fdbe5d2d7b39440584ec890f9152e231502061e58a3515284afc7b465717acc678f67f6dfc13f1f60df2aaa5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe

Filesize
520KB

MD5
8b220f394a798013ce6fe53589d2ecd9

SHA1
2ea621803c698638e8912b16cfa863c6a4ec1f0f

SHA256
581e4b10430e3d01aae66b544c1d3bd8f3e684f2e1d33ee83a2d1af885e57b4c

SHA512
358e2278f9556032791ceec83073c28a6fd07e0fd4763d633263c6cebffd15495f18cd717545282e2dba33d1afabe5b95036f7adb3683d8a991cc1e63caf4fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe

Filesize
520KB

MD5
3870d2d96f2443ff1e70997ab35355e0

SHA1
910f6c3fb6e3fa832432887c0aac27507484c928

SHA256
e2d6f918c2af84ecf9e58f6bd478f12887a4a6cf476ca35d37abb66d83211205

SHA512
2658dca578102b56f6ef1669ea0734ae4fa64aa4887d0a729d21cdeb1ceaa1139ce07317df9809e5d4812eb2ffe8ed1507102a37a2ce5b135180239da0876aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQOWIP\service.exe

Filesize
520KB

MD5
cdd551eec5b56c0f4436ff7fd2ea054f

SHA1
086d92a4e63838a945158a4d7be08b45ce9c9138

SHA256
d1dd462af3da42047267aa61886fb4f0a79b7395cfcf1427a2132cf9f0b36343

SHA512
1f1b72828866bfae524170ff1d11da98407c3b6fee88aa5e8e3e49724cfd98ae1a5a7fabf3d3e6bd4e9201ac3faa31eebd88d3469bfba8e24110347bea98b5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe

Filesize
520KB

MD5
632a96fadc5dc45efa859a3763f74b90

SHA1
69c96114b3c9a1b63ceaf936f1e1f1aab294754d

SHA256
5b410420ba1a80d91b5e6c54de7341efd7ab5aecc703a4b4ac386440fcf213a3

SHA512
de587a377add0ef0e203cf49ad37e04a43eb5f40e2e3043b2a6819545786b4d826ac5b323dfcb5272557fe3aaf7d0121a047d5be3cb7cbc67a7e6025c6461991

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDYSGN\service.exe

Filesize
520KB

MD5
f69dd967b4154f3a2ad3ffdd207a696f

SHA1
e9e31460576924f0af8e7d3885da7125eb4b32c6

SHA256
d9d6bc86a98405ebaec4894654f63f01b39ec3d0edb15a7e24c1b596e1a630c8

SHA512
a7eb47664e377638f7b862ed7c29513d47de9ea008070fe3d15a293028f6e37572949771aa98597712eb6d52e0df7ee84f6903a7276ee230adfddf859ed6434f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe

Filesize
520KB

MD5
b5d700b4bea50cd63df89cb8b91213b5

SHA1
c0e58974f7c16357f73706089aecb3e067b432e1

SHA256
3c4deca895daa29623dcaf025f9bb57a750a4b774b3d358dccd96e3183fd607f

SHA512
4aa99afae91ec14be71020f848b15f40452875bc9f7594ef083412652b5f224336e4a1a71fb3628a4992cc86c6a069a7257b217edb30a9421049e969da9ec007

Download Submit
C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe

Filesize
520KB

MD5
7d6de2c8556fd7d5270b3079eb2f4db7

SHA1
0cda77a95fdedf730c069b903058ef3c63a61b01

SHA256
306a86a3d0886ad8beab029bb2f3d4a6a2961a925c8ce31df8c33b88f210b06c

SHA512
6312bd12b33b8a67a730e6b71db971cb53911aab38ae2b83d845b3f0220ddaea932ead936754dea69462105c6daf9911c6db23efc5ce4187cbd286207202f811

Download Submit
\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe

Filesize
520KB

MD5
758545a986474ee59928dcbc6db3d660

SHA1
5d433e3cf57311edc43ef36e2c66b038f7aea008

SHA256
1696c76e9057bb7dbeded850e123e7607bb6918231e62d0510aea6d9c9ff1b0e

SHA512
e86154e6c411d91dc89132c7bcaf61ed85d0141ad2ffb523e506a7238f0c661c127e39d8c4b957da251713d29c9eb7054ae450f09dfb3fd52f9b3110ab302bae

Download Submit
\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe

Filesize
520KB

MD5
d5404247f5c08429bcd9e0fb0facf73f

SHA1
d2959e865a894bb7f328861dedfe2b700bdd29c5

SHA256
a8b2903809491eddf7d1edb82e25595f9559903ed6a721078ac3531aca2a58e4

SHA512
466a8aa83a5e949cd6c7ce35613e909f3b66c6ce552e6e1296bf488c5d294eff59b9d8ca988e7fdceca6fe5a7bbc879540545498ffb9823d73f0b067898f224e

Download Submit
\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe

Filesize
520KB

MD5
f488f7163079f57e81dbbeb13babaae9

SHA1
33161024fd7d4b32e512bb935cb955fde4a62818

SHA256
8b3308a6c83f9a15250f29b9ea6894ca604dc7c41a1979c7a78f6d9a79c6b325

SHA512
84e0df3ab0e5b3744cb5b96ee4fec70539324a842453d8779607f8de41a40ef044418651a8ae2ae1534762e5c71ccedc281c8427a73944769e2bb866449371e8

Download Submit
\Users\Admin\AppData\Local\Temp\JMYXCUSBVKYAGOF\service.exe

Filesize
520KB

MD5
3d0bd7c2a23ef47ad07dfdf07d6f0a6d

SHA1
3b87b9ed811af493afe50f3e92a50da34d23a31e

SHA256
aeaa19306a7bea9d20c7f3f77c01998cd455f110b66bbba940d54c8c36275b7d

SHA512
30c9574a3222464a8d40d1f0af81dfc4f4b42f6ba73e0070209c556eaaa3a113749d90257a335e050eca3bde62560f291eab7e6629a6e057b64451d4e2ae9591

Download Submit
\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe

Filesize
520KB

MD5
f255585c4d81e17eacda513ba9353a85

SHA1
ae78649f2beb397513f56aaf4da7dc3d5de3819a

SHA256
c9c7923ae5ef95cbf1424129354226283aede6e222effa9756f07110f6c540cd

SHA512
6c8591d75c39c7e553e841741c85f1de6cdb6912f25a09a0613361e0ee124a8e24de4fc14d67575e09722ae00d1e335171146b1fba7dfa85a14b4fa17e7a5ae4

Download Submit
\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe

Filesize
520KB

MD5
542c176120084d8d89952164046f6269

SHA1
9babdd5841c6f8e11d628208be24223f3caca032

SHA256
a73439802b576835bd49587d53a04ca7baae676b28774ef62f944c9c2054ad18

SHA512
d50f5692a5c7542998209977e39a38ac9cfa2461204b29939e65dc2aee4c5906e1bd4c5d3f91613e96e887e23326030d366d640739013b6ef1b9a777c664f905

Download Submit
memory/2144-1026-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2144-1031-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2144-1032-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2144-1034-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2144-1035-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2144-1036-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2144-1038-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2144-1039-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2144-1040-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads