blackshades | b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
Size

520KB
MD5

36a828650bba44e1b32b96bd0c15f427
SHA1

17c64a0eff01a4175eb0b521338edebde76cdb92
SHA256

b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487
SHA512

3b2d16a3741ae17d3fae894370d6dd483e72e4ee4e9abecdeda13178c1a86504770e7ee2122b5a66eecb29cffc15665a101d46e493ad9bea4ed0abf829003608
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXQ:zW6ncoyqOp6IsTl/mXQ

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 10 IoCs

resource	yara_rule
behavioral2/memory/3420-834-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3420-835-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3420-840-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3420-841-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3420-843-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3420-844-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3420-845-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3420-847-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3420-848-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3420-849-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAVARMGBGVW\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Checks computer location settings 2 TTPs 32 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 33 IoCs

pid	Process
2196	service.exe
840	service.exe
2816	service.exe
2548	service.exe
316	service.exe
4504	service.exe
1480	service.exe
3056	service.exe
3988	service.exe
2676	service.exe
2148	service.exe
1188	service.exe
2516	service.exe
5108	service.exe
3852	service.exe
1140	service.exe
2924	service.exe
4960	service.exe
1500	service.exe
4584	service.exe
4756	service.exe
2056	service.exe
3240	service.exe
4476	service.exe
1976	service.exe
1140	service.exe
2304	service.exe
3332	service.exe
2056	service.exe
4256	service.exe
2152	service.exe
3700	service.exe
3420	service.exe

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EYDNLKOBFBPVNED = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRAYTJWEN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWKLHFHXKSBMRBO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JWSAVYXLPUBCIAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JWDNWUEBLFGWPST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERWOWKVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DQGUQOTFSUPIMNW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAPQNVIOT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KSKTPKUFVAEUVSB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JETYRHRLJMYCHVU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMRNBNWBUYTPQDI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHGIDBIEYTHO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PDOEAWVMCQMKYPB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPXLLMHGMIYLSC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CUSBBVKYGOFDPML = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTRUFKPCOWOB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WVJKFDGWJQALQAN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLYUCXNRWDEBKCH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WVHPHYQMHXRCSBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HCYRWPFPJHKWAXF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XYAKQXYJBDRMLGB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVQTXVYJOTAGDSR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TCDOULJNIQEFYWF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAVARMGBGVW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IGKFNBYCVTCCVLY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENEWOKFYOPMVHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EPNLQDHDARWPFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KMYYCUSBVKYBGPG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LAVRMVGWBGVWTDO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOKXNXRPSDHNAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YCNLJNBFAPUNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWWAXSQXTIWENE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WTRVQYMNAFMNWRR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIGJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ANNHQXIEPIJSVXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTMRYKAKEYCFVRS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FTAJWSQAVHBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMEKRCDQWNVKUKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFNEWOKFVOAPYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDSXQGQKILXAYGT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FGBCXSFMHMIURPT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSQTEJOBNVN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JGKFNCDVTCDWLHQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAPQNWIOT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AETTGIDBDYTHOJN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPFXVEYNDJBRJHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HDBRXPGGIDAKXFT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOXGCQVGHENFKBY\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAJASJGBRKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DVNTLCMFEGWTTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DYCQGTPNSFSUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IXYVEFQWNLPKSGH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMDNGFHXUUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXYBLRYYJACDRNM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JBRAISOJEDSTQAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TKUQLUFVAFUVSCN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ANJXWMWPOQCGLYK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BPOAJASKGBRKLUX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIJCWBDTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BVTRVJNIGXVLLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQGMEUMAK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IVWJPWWHBPYLKXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPGYQMHBBQROXJP\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3700 set thread context of 3420	3700	service.exe	236

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2528	reg.exe
2532	reg.exe
2488	reg.exe
3444	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	3420	service.exe
Token: SeCreateTokenPrivilege	3420	service.exe
Token: SeAssignPrimaryTokenPrivilege	3420	service.exe
Token: SeLockMemoryPrivilege	3420	service.exe
Token: SeIncreaseQuotaPrivilege	3420	service.exe
Token: SeMachineAccountPrivilege	3420	service.exe
Token: SeTcbPrivilege	3420	service.exe
Token: SeSecurityPrivilege	3420	service.exe
Token: SeTakeOwnershipPrivilege	3420	service.exe
Token: SeLoadDriverPrivilege	3420	service.exe
Token: SeSystemProfilePrivilege	3420	service.exe
Token: SeSystemtimePrivilege	3420	service.exe
Token: SeProfSingleProcessPrivilege	3420	service.exe
Token: SeIncBasePriorityPrivilege	3420	service.exe
Token: SeCreatePagefilePrivilege	3420	service.exe
Token: SeCreatePermanentPrivilege	3420	service.exe
Token: SeBackupPrivilege	3420	service.exe
Token: SeRestorePrivilege	3420	service.exe
Token: SeShutdownPrivilege	3420	service.exe
Token: SeDebugPrivilege	3420	service.exe
Token: SeAuditPrivilege	3420	service.exe
Token: SeSystemEnvironmentPrivilege	3420	service.exe
Token: SeChangeNotifyPrivilege	3420	service.exe
Token: SeRemoteShutdownPrivilege	3420	service.exe
Token: SeUndockPrivilege	3420	service.exe
Token: SeSyncAgentPrivilege	3420	service.exe
Token: SeEnableDelegationPrivilege	3420	service.exe
Token: SeManageVolumePrivilege	3420	service.exe
Token: SeImpersonatePrivilege	3420	service.exe
Token: SeCreateGlobalPrivilege	3420	service.exe
Token: 31	3420	service.exe
Token: 32	3420	service.exe
Token: 33	3420	service.exe
Token: 34	3420	service.exe
Token: 35	3420	service.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
3060	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
2196	service.exe
840	service.exe
2816	service.exe
2548	service.exe
316	service.exe
4504	service.exe
1480	service.exe
3056	service.exe
3988	service.exe
2676	service.exe
2148	service.exe
1188	service.exe
2516	service.exe
5108	service.exe
3852	service.exe
1140	service.exe
2924	service.exe
4960	service.exe
1500	service.exe
4584	service.exe
4756	service.exe
2056	service.exe
3240	service.exe
4476	service.exe
1976	service.exe
1140	service.exe
2304	service.exe
3332	service.exe
2056	service.exe
4256	service.exe
2152	service.exe
3700	service.exe
3420	service.exe
3420	service.exe
3420	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 1512	3060	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	87
PID 3060 wrote to memory of 1512	3060	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	87
PID 3060 wrote to memory of 1512	3060	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	87
PID 1512 wrote to memory of 1484	1512	cmd.exe	89
PID 1512 wrote to memory of 1484	1512	cmd.exe	89
PID 1512 wrote to memory of 1484	1512	cmd.exe	89
PID 3060 wrote to memory of 2196	3060	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	93
PID 3060 wrote to memory of 2196	3060	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	93
PID 3060 wrote to memory of 2196	3060	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	93
PID 2196 wrote to memory of 3240	2196	service.exe	96
PID 2196 wrote to memory of 3240	2196	service.exe	96
PID 2196 wrote to memory of 3240	2196	service.exe	96
PID 3240 wrote to memory of 2288	3240	cmd.exe	98
PID 3240 wrote to memory of 2288	3240	cmd.exe	98
PID 3240 wrote to memory of 2288	3240	cmd.exe	98
PID 2196 wrote to memory of 840	2196	service.exe	101
PID 2196 wrote to memory of 840	2196	service.exe	101
PID 2196 wrote to memory of 840	2196	service.exe	101
PID 840 wrote to memory of 4724	840	service.exe	102
PID 840 wrote to memory of 4724	840	service.exe	102
PID 840 wrote to memory of 4724	840	service.exe	102
PID 4724 wrote to memory of 1136	4724	cmd.exe	104
PID 4724 wrote to memory of 1136	4724	cmd.exe	104
PID 4724 wrote to memory of 1136	4724	cmd.exe	104
PID 840 wrote to memory of 2816	840	service.exe	105
PID 840 wrote to memory of 2816	840	service.exe	105
PID 840 wrote to memory of 2816	840	service.exe	105
PID 2816 wrote to memory of 2056	2816	service.exe	106
PID 2816 wrote to memory of 2056	2816	service.exe	106
PID 2816 wrote to memory of 2056	2816	service.exe	106
PID 2056 wrote to memory of 4520	2056	cmd.exe	109
PID 2056 wrote to memory of 4520	2056	cmd.exe	109
PID 2056 wrote to memory of 4520	2056	cmd.exe	109
PID 2816 wrote to memory of 2548	2816	service.exe	110
PID 2816 wrote to memory of 2548	2816	service.exe	110
PID 2816 wrote to memory of 2548	2816	service.exe	110
PID 2548 wrote to memory of 2120	2548	service.exe	111
PID 2548 wrote to memory of 2120	2548	service.exe	111
PID 2548 wrote to memory of 2120	2548	service.exe	111
PID 2120 wrote to memory of 4148	2120	cmd.exe	113
PID 2120 wrote to memory of 4148	2120	cmd.exe	113
PID 2120 wrote to memory of 4148	2120	cmd.exe	113
PID 2548 wrote to memory of 316	2548	service.exe	114
PID 2548 wrote to memory of 316	2548	service.exe	114
PID 2548 wrote to memory of 316	2548	service.exe	114
PID 316 wrote to memory of 3868	316	service.exe	117
PID 316 wrote to memory of 3868	316	service.exe	117
PID 316 wrote to memory of 3868	316	service.exe	117
PID 3868 wrote to memory of 3844	3868	cmd.exe	119
PID 3868 wrote to memory of 3844	3868	cmd.exe	119
PID 3868 wrote to memory of 3844	3868	cmd.exe	119
PID 316 wrote to memory of 4504	316	service.exe	120
PID 316 wrote to memory of 4504	316	service.exe	120
PID 316 wrote to memory of 4504	316	service.exe	120
PID 4504 wrote to memory of 4780	4504	service.exe	121
PID 4504 wrote to memory of 4780	4504	service.exe	121
PID 4504 wrote to memory of 4780	4504	service.exe	121
PID 4780 wrote to memory of 3244	4780	cmd.exe	123
PID 4780 wrote to memory of 3244	4780	cmd.exe	123
PID 4780 wrote to memory of 3244	4780	cmd.exe	123
PID 4504 wrote to memory of 1480	4504	service.exe	124
PID 4504 wrote to memory of 1480	4504	service.exe	124
PID 4504 wrote to memory of 1480	4504	service.exe	124
PID 1480 wrote to memory of 1328	1480	service.exe	125

C:\Users\Admin\AppData\Local\Temp\b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
"C:\Users\Admin\AppData\Local\Temp\b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGPCYX.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTRVQYMNAFMNWRR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1484
- C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe
  "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOVKKL.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGBCXSFMHMIURPT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2288
- - C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe
    "C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNTYJH.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4724
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KSKTPKUFVAEUVSB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe
      "C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGPGEP.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2056
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IGKFNBYCVTCCVLY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4520
    - - C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPQBUU.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BMRNBNWBUYTPQDI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:4148
      - C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJGPBH.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ANNHQXIEPIJSVXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLOPUB.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FTAJWSQAVHBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYAHHQ.bat" "
        9⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IXYVEFQWNLPKSGH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHEQOM.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JGKFNCDVTCDWLHQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempORMFI.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PDOEAWVMCQMKYPB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPXLLMHGMIYLSC\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\YQPXLLMHGMIYLSC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQPXLLMHGMIYLSC\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "
        12⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAJASJGBRKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DVNTLCMFEGWTTBP\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\DVNTLCMFEGWTTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DVNTLCMFEGWTTBP\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMWRFC.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCQGTPNSFSUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCAJXF.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPNLQDHDARWPFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVNTFB.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IVWJPWWHBPYLKXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMVHNS.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNEWOKFVOAPYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDSXQGQKILXAYGT\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\HDSXQGQKILXAYGT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDSXQGQKILXAYGT\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKVSQU.bat" "
        17⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AETTGIDBDYTHOJN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBRJHS\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBRJHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBRJHS\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBXQV.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXYBLRYYJACDRNM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTQAL\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTQAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTQAL\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYVBTX.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WVJKFDGWJQALQAN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLYUCXNRWDEBKCH\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\CLYUCXNRWDEBKCH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLYUCXNRWDEBKCH\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBHVD.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EYDNLKOBFBPVNED" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "
        21⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWKLHFHXKSBMRBO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempULJNI.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAVRMVGWBGVWTDO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSPXKQ.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WVHPHYQMHXRCSBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWPVHD.bat" "
        24⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XYAKQXYJBDRMLGB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVQTXVYJOTAGDSR\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\HVQTXVYJOTAGDSR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HVQTXVYJOTAGDSR\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTYKIM.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TKUQLUFVAFUVSCN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYK\service.exe" /f
        26⤵
        Adds Run key to start application
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYK\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHVDR.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNLJNBFAPUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPDGGA.bat" "
        27⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CUSBBVKYGOFDPML" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTRUFKPCOWOB\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\DRNQTRUFKPCOWOB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRNQTRUFKPCOWOB\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSENEI.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HDBRXPGGIDAKXFT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYFGDM.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDNWUEBLFGWPST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe" /f
        30⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYKLIR.bat" "
        30⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BPOAJASKGBRKLUX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe" /f
        31⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSAFCR.bat" "
        31⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DQGUQOTFSUPIMNW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBEGPL.bat" "
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVTRVJNIGXVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYOJS.bat" "
        33⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCDOULJNIQEFYWF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        36⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe:*:Enabled:Windows Messanger" /f
        35⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe:*:Enabled:Windows Messanger" /f
        36⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        35⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        36⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        35⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        36⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAHVDR.txt

Filesize
163B

MD5
288404ad3a354f01cdbe49b6e22f2238

SHA1
271846f48474dfcfd9793e67019d8c4cd00a3199

SHA256
5824040f5c09e0a448bcc117cc31c781e6dd7e0ac6910081dd51f958a136028a

SHA512
bf3cd87d1b4dbad957146574d6799bda3cbc12362126b2c7e9380b4327d7e90b3d37a7bcbaf8b7b5d50490ea4ab6b8a578b235a2009c1b6b333ed192d8a30873

Download Submit
C:\Users\Admin\AppData\Local\TempBEGPL.txt

Filesize
163B

MD5
93d6bc98a8dcd3f6988afe281a8ad0a5

SHA1
d7361375cf4e7d85eaad2384f184216dc7856daa

SHA256
2332461df183e3ef2f9f251311d631d7df78e19eef248908d1c4b0565cfd10f0

SHA512
a464d39a2af798087ab6f7c7234211780adff88b0479e03c4341cf901c33a47eb081d3e22b849f5b4fbbc08f5b24eaee56d796c5676bf8fdcdc6ddb2cfe63878

Download Submit
C:\Users\Admin\AppData\Local\TempCAJXF.txt

Filesize
163B

MD5
b28403aee67ab7a7f8f07be0b373dd94

SHA1
b502b36bfbd3aa2deceff2f71ee8361ce6cd773f

SHA256
649710c31047be7194e4413d3cbec7ac665f2fcb03f38823fe5aecffef1fa93d

SHA512
e3167da20d6d31aeb865f87e4e8fceaf440b9b3f448c313af443293f8e2d6f0a17f919183bed0e49cecbfc318c11ee83da78d43fb3d062cc3f9a068f9f9b4a41

Download Submit
C:\Users\Admin\AppData\Local\TempFYOJS.txt

Filesize
163B

MD5
fea3c7b3ae3cabaaf93ad02ba3fd3d93

SHA1
5056b9c08d9ced49a83b56b6cbf839ff890d2bd6

SHA256
c1891b16a57528b5c2379900dac7f471a2d8e59285cb6a81dfdba776124fddb5

SHA512
4bd117741577e9370597f06bc0e8dc2f25d609cd85a3a5b4ee6c6e7f13fdd3d260a8a05792a8f3acb821656c167366e48ba6bcd6ded8aaa3cd6718659a6a7fff

Download Submit
C:\Users\Admin\AppData\Local\TempGBHVD.txt

Filesize
163B

MD5
785ffe10dbe7c97f5f8a5b7ec7a24fed

SHA1
9c93779324bbac7735959415bdd60e375dd745de

SHA256
8c4ec5784d0ff1da7dc85668f4885f6b7f477df020cb06fd499fc629f574ef52

SHA512
e27f1218ea152de42143e3b9087ca65fcd9a1629dd30f09ce3875a71dde23a73d2ef9653cc948a6d34312e3d320f429f8b1cc1a62f5e01e173625bb826585c1e

Download Submit
C:\Users\Admin\AppData\Local\TempGBXQV.txt

Filesize
163B

MD5
42f9e490ae1d1774acd1d03eee975633

SHA1
d917ffcdf6b8a73e602d041ca5865779d1b4cbcb

SHA256
521eb64bd030bb000636e6c97b890bf1ba91e081e474e86f70076c585f19648d

SHA512
8e102bda6b132205d538d4c7717f7ca3aff5127686202286cecc36e017a067d76b58e9188a630051227438bdcce2d8201a24ca48ec374bb0eae6c0600ac798e2

Download Submit
C:\Users\Admin\AppData\Local\TempGPCYX.txt

Filesize
163B

MD5
a306ef6ba48e2796806901071cbe81b0

SHA1
92217a0264634e6dbeef270d2bcde35258b5a4ec

SHA256
2747ea01e1d7bae87219f6b19b2c0d123dd4d671766d21f44bd2e44bf605d117

SHA512
7f149b2717ceef433d9e940f5f1725442f1587d8abb1f6ef50a6478ad71bf5b9468b35bebb8ef9a6de8101e3e14c675996bc63e9ec0208c711e735d5d92e949b

Download Submit
C:\Users\Admin\AppData\Local\TempGPGEP.txt

Filesize
163B

MD5
5057c7deaee0be38c6a572c4924394c2

SHA1
ff4c90ce5cf750d7672070cbc204702728108dc1

SHA256
c4919d240732fae3df7e46642238888548ea76972ca7195a847fd005991f7b60

SHA512
a429c31158dd27554d917c7e3351a62f2743784ad140fa2fa80645b3989bb304f4b6446422e39e064a6f81e90cba00fefb25011ba0e555ab998a7a8c02d38775

Download Submit
C:\Users\Admin\AppData\Local\TempHEQOM.txt

Filesize
163B

MD5
6dfa3bb9b225a09f27733de4eb0010dd

SHA1
ae7a360eaa775844fb4ad22ae7e0bd59d8f9b954

SHA256
17b06ffdda1ee268c885979f345ae4a1759a4ee4d4f7a025a1d64a8982355abb

SHA512
6482c20a337a80e10bfd251f64d68bc0db6d8319ad153a451aad806684f7dcce7e3d27ed535ba183dd367c8b2b9ad9bc84cda98100ee3569abb1d725c24b2543

Download Submit
C:\Users\Admin\AppData\Local\TempJGPBH.txt

Filesize
163B

MD5
204d107dd43ef702d111a72efa7285ae

SHA1
5ff359dffcb46bb4fec139f5c6a772ce63b921d2

SHA256
cfa4701cea969edc4871d7db3fc85aa9433f37db72cfc8c8b71d4adeb02b2abe

SHA512
d4c9a704015554497723bd537a6b0643e67888609036c16185d5fbf8d9922f85f2e18c242d3f9186b0fdb75d7ccfd7b36f1282434560f6a44180eb348257bc55

Download Submit
C:\Users\Admin\AppData\Local\TempKVSQU.txt

Filesize
163B

MD5
689a1a861a3026bb9c3f086abe0589aa

SHA1
12947eef0ef5cc3e74f857cbcdf6a40480994854

SHA256
b80727bd73477db107364150a953ff5e405655a0bc8ac517ff3c67341c78380d

SHA512
c37210ca95faaa11774426a16e3b6d0b539267e5dc0c3082844fad78ee246915e14e5c726518732f102b6376a9c76f5633d4397ed72019bbe811df407668a24d

Download Submit
C:\Users\Admin\AppData\Local\TempLIRDJ.txt

Filesize
163B

MD5
fd50b11471ea34b28ea4baf4cf00447b

SHA1
7da4a4a45ebad76a7483aa0aa190263e26c5988d

SHA256
16a4179f62df9a3eecb91dc59d53bc909be3c905bfe923ca44764f1432329705

SHA512
997af4e9cfcc8962f5e6e0998087c5b71c0ec7c2701cfed0e5d0765640fb221167911a141ca279d57149228f3272bf2157ee6132df0fd28fdf8c9cea85419c61

Download Submit
C:\Users\Admin\AppData\Local\TempLOPUB.txt

Filesize
163B

MD5
5d38f5a1b5aa1b30781c0c84f64331fc

SHA1
acf15e6ce88d606070b06c3cc026a4046a2ff90c

SHA256
6d6f51ac46cba699c83bfd2d6306ef11d5e7fb0c0fd7a9c622dfc7b02c54badd

SHA512
4d881110cd080cab828d06a8dbf602c6f9e29aeb5c8d7fa1f77db6890b5d7161e7f5b433d884dcbcb6dbb0c49a05e05d1b46e726ab53f64427653203dc7b7415

Download Submit
C:\Users\Admin\AppData\Local\TempMVHNS.txt

Filesize
163B

MD5
6ce931fff51c553b6f9155fe92023586

SHA1
97f7096809522dd0db95b052be9deed33cf566e1

SHA256
26fe90c0a595f3d73d39df2865d49d1f63a51b94e0758faab3b025de8e8736e1

SHA512
1eb74627887ee7a61293ca6dec4fe45139a08dba9c4a458d9c8b4dbba0423294f02ba300045ec5333d07549e46d855eaa7ef6f4053b9f9a3068d2976f05ca605

Download Submit
C:\Users\Admin\AppData\Local\TempMWRFC.txt

Filesize
163B

MD5
61dc028764ad6b9891a8f2f34520b82b

SHA1
5141541d6132615628de2773ed1f6312366f00b4

SHA256
111d2e24fe65d0de5f713e20db05ee66e37315aad27377a366ba35f52392702a

SHA512
d92fce65bb80e08cd3448c62c16a9baf1aa9d0dbd5855c72985cfc721ac8e86567bd374fa3f9d8ad3b261f1a55e13eb2d2dce5d0d3ed5fc8b081febd7ff24f77

Download Submit
C:\Users\Admin\AppData\Local\TempNTYJH.txt

Filesize
163B

MD5
90c775f8e87d5c5db9d0af5fd18a8a94

SHA1
acc4ec7875437e5696d6d52d355722adede9d75f

SHA256
e05992e6f9772fbb6247e20d2ee1e8d055f0a710a64920ebdf3a63e24ded9b93

SHA512
9f8e14dc9c92254378eea985025e8ccadb6fb92c135952539a56a33d6f123de208e2c761d42f7c4d5263403d024a5309379eb7ad2ae4d4dd71c1ed5a562ce36f

Download Submit
C:\Users\Admin\AppData\Local\TempORMFI.txt

Filesize
163B

MD5
915c92d3754936f85a1c04a625befc64

SHA1
ab97c7450b4ae0e7d53a00459ac1f6abaa82c7fa

SHA256
c188176dc54da6bb800abb73c160eb5a8207c6a0aeb34486ff9df107f0b5e365

SHA512
2fbd081f1142e8ab3571400a460543e99183d83eb05a56a452983508ba96449d04f94800151ab386e735ed70e0381a41210800fe58afcce11d3e647402e77889

Download Submit
C:\Users\Admin\AppData\Local\TempOVKKL.txt

Filesize
163B

MD5
018a9e77899180afc3f3e2c8daa20fbb

SHA1
6790c3768ebc95cb2c4a295bc450367747c91295

SHA256
710518ea0c02af27d7383b1b8a97bdc6e1479aa504f36566f8b093911756cc1d

SHA512
a40788ccbd92583b0c63001b403d103814718e9143b693197814f8cdf371c4c0dce8521e73e197f6abef6c1d2c8fd8fe18c8e0b7bb5e3631b31f7cd6057fcec4

Download Submit
C:\Users\Admin\AppData\Local\TempPDGGA.txt

Filesize
163B

MD5
3619916f364262dff0538c83a53ac604

SHA1
1ae08814141f18ef9b1c456b92a6352974b38813

SHA256
8769a0a6582ea174b14703c6f6eba9b73425ee49bb9258b308bf8e1ec49ea467

SHA512
0d72803c44127c3debde7c51b498074e52256fa900c9f20726d6860f5a2521f0a414eb51c0d363ef3f672a976dbbc34f35b3f58c6565bbe51bcb6dedebbf5772

Download Submit
C:\Users\Admin\AppData\Local\TempPQBUU.txt

Filesize
163B

MD5
edf072aac1a5a0919f173f37c3f4a6ef

SHA1
f3c30683fbcdceb643e35d5e0b93f1d3bafa07b6

SHA256
bde0aaf2c662a8d3c5f3cb28c1737545a2e6cd147e11387533a122243cefe111

SHA512
f356a2803e19f06ce13270bf2a4772c42f674db9dab8612fb6e56153c75c8b87d566f590ed13676943fcf23f6e45d66601c4a3489c5f00aa9dbe7412cf0fdd61

Download Submit
C:\Users\Admin\AppData\Local\TempSAFCR.txt

Filesize
163B

MD5
5e3cdb634454276b1a453420f52b8fad

SHA1
9740177b13d7cd6f803ddeaf45b51746e17e4214

SHA256
519000375158f038650e373d14bc8ac483b7e3eba1021e68aadfa2f1d4d45c48

SHA512
7e379037e25143281fcaa63226fcb01b216410be2786b48afcc13c9c231ace1e4f76653d18d13b43a2413551321a5959fde6dfd10dd72a3f1ae7a36cdf01d690

Download Submit
C:\Users\Admin\AppData\Local\TempSENEI.txt

Filesize
163B

MD5
a3fd9c52884fa270ff4d001b0797c7bb

SHA1
df66229c5749d8f8e1736928aa8f6f83c6b3af9e

SHA256
bbd1c1fdf1a43cf9efc4051f0e2a8d2a8e5b0546c60b2b6415134dfdb354fc7d

SHA512
0a2b1c243ac6930896244a088f3d79fe4fb4b7f27f2c98a1dabc4c857291689c6a02829cf98e09c0ae2ebdac2dd23b0d959abaf0f13df06200ce140e5c0d385d

Download Submit
C:\Users\Admin\AppData\Local\TempSPXKQ.txt

Filesize
163B

MD5
0b981b7709d6b71cf4f1cd0976669fd2

SHA1
b625a9db43710984db717b2af33b5191e0ea044f

SHA256
1fc033eaae67d83ee7dac49feffe4e17ceaa8decc1ee41c81b17d1a873bd34d2

SHA512
b5246c7b6bd4925f8d889aae7004686c33866fc7c12851a25d6d7a55fceda1d349348a0eaa2549efaa80ff5f96c31e5b90c1e8369ef31e255cac295832c35f55

Download Submit
C:\Users\Admin\AppData\Local\TempTYKIM.txt

Filesize
163B

MD5
ab9ed2379d2677b094c01e1e5edc2dbb

SHA1
edd55b70767b067d515200017c17c4739e8b847d

SHA256
ccd5db2945ada5a0f9659c3bb7c7e1f45664b761db8b75380b190f53ad920b12

SHA512
2d133f54f55d84ce796113fef6e42f485d64f71d28bb8a8dcd49c5c8b552a5a9d02c3e0bbea042dbc9f847ee37141f6591209c77040695396f72208eef229b67

Download Submit
C:\Users\Admin\AppData\Local\TempULJNI.txt

Filesize
163B

MD5
93e03e812db834afd1ebd6d0893bcba3

SHA1
00361990f78ba7b354aa7ff0c75894768e976a0f

SHA256
d2a1a47dfd5ba377828788569d40d244913977233f88241a464ca8ab391112c9

SHA512
3a83fc72386afb3070044cd023995d66d824c726f746f8db3eee809fd60c8379525b121d868e40e35dc6a4a25467141f6f1aa9c000cdfcebc3195ac2c6478866

Download Submit
C:\Users\Admin\AppData\Local\TempVNTFB.txt

Filesize
163B

MD5
fa72cee6c5407b7a5528b184f63bc6a7

SHA1
3786c7f7ac20a858f61eed7a2909b5bd00a0b8e5

SHA256
d23ac73c0ef5bfeec78ebd9b5a4d4c6858e9ebce97e56a0bbf3250b4d5aa8b7c

SHA512
0237a2adaa37d3d493f2a853039ff846fd90601f9e35a4bcb486af448a6fe392768146098322a7ec7112e4510073e42bd28a7a6c15961d05fb20febc050b2d78

Download Submit
C:\Users\Admin\AppData\Local\TempWCUYT.txt

Filesize
163B

MD5
81d26e1eef9a29cf2c12a877a6787659

SHA1
2762ceadeceb74c1410ee10eebfef95d4de1a3c8

SHA256
6bb538d3af5f2909955537cd3b6446b7096600e8eaaeab0b37fb5f09099e5ca7

SHA512
f2b3c0b42477a90743cda63b065c976b97443ae17f18c2c3a5b608b9c1f8627e05e571a8b86232c5452c00c42f29ea2f5c01bca0d6bcf91253406406b7f69624

Download Submit
C:\Users\Admin\AppData\Local\TempWPVHD.txt

Filesize
163B

MD5
7891f5bb4ae86a7d7116d4f358aee942

SHA1
479d9292a026b3501c7cce2dc06d5c65d5159838

SHA256
fea3a766173cb2ff4b62ed613e829716a2fe9c478449d9a2f202e2c24111a1a7

SHA512
0a3d9dbdd18c354dc2deb412d24773329c3de28ab5595f446d9bc66e3dd6f7c166c09c941ca5668c6f871b868107f4bea83848a427756d10327ab076532b3cb2

Download Submit
C:\Users\Admin\AppData\Local\TempYAHHQ.txt

Filesize
163B

MD5
fedbce18430210fe43131374e909e412

SHA1
c900259034e20b6d752e0019f488bec00877f0e1

SHA256
2f82a85f0fa02d84e753281464b529de2f1f9d5cb7b4d4381b51fd76b0d81335

SHA512
4c58214938559df80dd59820ee589844a6d3e4a19a6b2619446351b2b295df8f74e388f3ffef3695bc7199e1ebd8421a5fd9e0dae2825bf55cd22e91ef05e88b

Download Submit
C:\Users\Admin\AppData\Local\TempYFGDM.txt

Filesize
163B

MD5
53da839b7a662534ef9d88e2e32e4c58

SHA1
727d7db944d405c7a0b13ab5d635c4a8af0f1362

SHA256
e1f4cdc708ed3a1faf6f978593bcb2305d5992a521c8656c8240805cc2040873

SHA512
311473b5b1103496db6a09a2f8fa71d58fc3d67b4222b806af3d2c9ac64849d554e21b2f9f837c9b25348217f091bcf82f2f58d845d92b4b55291e806b653494

Download Submit
C:\Users\Admin\AppData\Local\TempYKLIR.txt

Filesize
163B

MD5
081e09a43053171bf9abc867b08e0264

SHA1
3ef9fec9a317ab317087e482ecf6141871713966

SHA256
ea2ba95d7ec4d14e2c90838591dea3a9098fb7dd14be896fe97fb8ce35fe224e

SHA512
c02a54c023777c885c189f1d88e6bcbd8ff280ef6ff35a0e8f5992b33f023e9d4a5eefb290d4f77058393aa1e17ecdf16235dbefb2440ee9d99a47260f815d93

Download Submit
C:\Users\Admin\AppData\Local\TempYVBTX.txt

Filesize
163B

MD5
a06ecae5075a1e6ceb94eee198aef50e

SHA1
e175008b8b6cca1d62113465dc88ce4585971c4c

SHA256
8c1eb427c6a819cf59cce3c4d3334220ba7d8e52ca045ddaab070155c0d2de6d

SHA512
8b6b64fb226c84eac74e875c3628e32ed5becc63a4c69cbba4c7408acf6237053a2b9fc1933f1d269f4c636143a9c7e9190a0cc8105d0a6ac10c9f0bc5a115a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe

Filesize
520KB

MD5
a066017ae3cff97364311a186b971eee

SHA1
b34f0f0a5fa4d18e4fa84738103864f9a6087c84

SHA256
56a6e7a829ff2b6cf72168534cf738bef0709033a5bab9fffb138e7e75f3ec9c

SHA512
e7d2d1a78080009fd4d4b10bca858536448171479de7a784820dbbe59002669b8d18c6b128dd41e2d99135891ff99386e94ed6aa66a178ea6a05e8457be2b129

Download Submit
C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe

Filesize
520KB

MD5
e97d8ae58cca2737348006a93edead00

SHA1
5b2f12463c7904bb226bc11d8498ff4ca8e55557

SHA256
b2bf4eb0a72197c1b517da22747bf3d42979db73266713af835f36331c3b91a9

SHA512
ed339d73612a16027e3f55f6172002519b1520536e6cca3efdceb64b20bc518644c66a822a8b0b953dffbacd9a22dcdd451ef93d2b8c2772ba7ba37a7620ccba

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLYUCXNRWDEBKCH\service.exe

Filesize
520KB

MD5
3cce06fafb1bb531e0a77e6df73959ef

SHA1
c32fc3212b9c0f6f095cac817cc6bfc7b938bfc9

SHA256
3cc0f028ba7e1b0ac6a5e53c02f2c2cdd35e89d99e00526c5c50c4f0c9ae1f0d

SHA512
86692e9183ca6f81bfabb5fa6a170e8b91f46ca5d08166cf952f01436e129dfb01305b9dddd61b9e2bbc86267bf730a1e018734d473a588a40c86e1d13679e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe

Filesize
520KB

MD5
7a58a66043f9ea87397d3a27de3614ac

SHA1
b7c3be8f722ce93769a04e84ab1d59ea620d46e5

SHA256
3f63c5820e188d2548fbae0c406d751ff5a98fcdc9afc6e23414c91a01a21e01

SHA512
203b287a147e7c6b8500f460fd275bfc0ad7ebdf93bdd73225f6cac3f99ad1eef68975f177464127ce2262096cacd751d5fdfe75f82b288a2b90f44ca08b9b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\DVNTLCMFEGWTTBP\service.exe

Filesize
520KB

MD5
b49b8c175c27480e905eebe28ffeeee2

SHA1
385d21fb0011bac35dbb58133b5c9f122be3cc5a

SHA256
f1c6686b213b6ea97215ee589d79c5300f096c130075bcad24828473f9afb32d

SHA512
76465c2de39d4d851548648bc41461b2585a5fc9108f8721c4c955631b280e5a6390d9c2fc9764a6f15970fe1637824748a59d05dba43991530e263d31e9c24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe

Filesize
520KB

MD5
a1a3cf52806bc5c7d295b71dc92a0b8e

SHA1
d117f59e557d5a6c53168a09b2d8a4961ff0fecd

SHA256
74692157833b687f27e9d6b911d3d06ebc7131e1d8e503b4faacbe369259e858

SHA512
c7d5673eaff0efc06e629800e0c616305053697e9a3be5268ae590c50fddc03f9d91d2125fb9b645a89d4ec114997face0626ce84a905d6b3d70ef4aac239864

Download Submit
C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe

Filesize
520KB

MD5
489a841eef9538dd69cf31c920b21241

SHA1
c87541cce2c0e6d78648bb3372bd3008760e5bcd

SHA256
bb91d28f985dde6e33b49c19ec712f74fa15100ae637cb9d6b31ea847ef8889b

SHA512
44d3dc0815fae74f6409714f9b45fa8b9614b9563d0ab2b883e96444e906fab5fc2e29f12ee5fec5911bbde06aed466b5208d1f2dce353705c83b9f74897920d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe

Filesize
520KB

MD5
43ed7adabe87ff97476f40174d00f736

SHA1
c6a1e527d55b9f69751af1549bcdd4e79dbac59f

SHA256
c5a7d951f8730b393245946dcec8c63ef64b5ef165affd5982adc9fb09900e76

SHA512
b5d83f22f06e2d4cd8cc768b115683d0ffc1f90b52b996cd2d78c28df8c526c0cbea006a47a7d96f4634a6dbb89f30a890df996627397912084042d2c71455b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.txt

Filesize
520KB

MD5
963505f9d79e626173f4e191ce1ba8eb

SHA1
2f994e5237d9184df0dcaea262e14925a872ed5b

SHA256
a7f2e52ade575a48a9f0d82b338edab885b7fe7e292ff040ce8626339b6d6494

SHA512
459480477debe153354b46b53494b4808bc59ac6346f6a842daae427042586233256694e23b0e99944e3acff4eb587f2eb8a58e632175cb947510c00ca192dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe

Filesize
520KB

MD5
fd75956a05948e030515a8a8dae80a18

SHA1
3bb5ab1817f233bf92ceae52a7ea0426966e7db3

SHA256
01c832e3f451114bbbf31a2f13d7c54e271e0e899b15228b0262e57d4067a196

SHA512
307e74a34ae63b949f301b2a13c9e3e16a5b77b5d88618f17a9322c5ca04865a3abff99fe490145481e10ca46879eb66e6e4c6ea0c206bffbc9f80d90fbaafb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HDSXQGQKILXAYGT\service.exe

Filesize
520KB

MD5
b80515d0302b0cdb4b5f62e529f3887e

SHA1
d51b94754a411effe7c8de2dc3117934dc3ee991

SHA256
5be1e8213bad55a886343172f34a47afafb2e3bea57cb88507cfb893e3a0e034

SHA512
64337929b90ca0e7ae8f1be5839969fdaae9b27829013cd7e154997637a7d41da4ca0feb628986f460711efad5698a6406ab1c4be7204767b18d439b6a9f5422

Download Submit
C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe

Filesize
520KB

MD5
cb41ea1264c27747b80f9b0a595d87f5

SHA1
6634972cc091e4f9f2c3b0cab2fa0d16198ca8d2

SHA256
b2ea3920243f0c2f4a4f9d1031302554397e9c0fe986a057f84afb42f2ea8886

SHA512
391b4779681b94e0df9238af694b74fdf8898715b0451dfe64ecd3ac34e2c951e8f45502b58a3f95cbfee86549a919ebdd198e516726e7f3f0a12f28bac5b1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTQAL\service.exe

Filesize
520KB

MD5
5d9a4ab35c441a0e15d16d627bf5a115

SHA1
84ca38480428b44c93c389d149bce4c3839591cc

SHA256
4714b8cc08b4f22ce2bc67128659a91db453e68d15987af94b72889d0dea0ac4

SHA512
0cbbd8b11907f8e1c93288fb0f77fd1e9eb76fb151024f7cad9985209116462aa870035b209d657bd50ffacc57f78319029aa0f8758cb382b93dc70a60760988

Download Submit
C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe

Filesize
520KB

MD5
0b78482981e628790eb84fe67126be78

SHA1
4358e4adb8059f42da717f7921843bed4bdb4eac

SHA256
50870926a0e2a63f380c4821777c28ceb333614de3e711fad78b43013827ef71

SHA512
a8cdccd91fc1b20d7f3fd012623213c7267a72f3bd81bd388904777d0c934e86e25116b903cf5cbcfc484b92b415f92b0366e42c4b35d98fa61a3b594c0155c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe

Filesize
520KB

MD5
7fd2bc5b9078c21d2b9bf3f08c3fc1b1

SHA1
14a08c9458f19ccb3dc6a929d2d19f35beea3f22

SHA256
c8542acf9f8110db941cf3e80fa462821e2d09cc9314f87fea82a475d6b5ec04

SHA512
b01df5510ec5beec4ddf40253472fa52602f47be0e025d83b845b5b91824cb97077a10018749558702ffa20ac4e3173cd676b6423f83ceccecb990a07627c2f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe

Filesize
520KB

MD5
6ec46e3cc93569d1ede7ce9010600951

SHA1
e86579f2085065813f312910dad0ca03e127456a

SHA256
aaa4177315cb37304d9a7ad18b5931a39866a047092bebae59478bee53932403

SHA512
0133dc8837fc9bfd34e4540f336811af3ff10f1d1476f7e76c2804563a6a1cd803423debda458de2c3acdf69f8d293d438b80d69283db607b070247b5fdf747b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBRJHS\service.exe

Filesize
520KB

MD5
767cdbf9144b40d5db155fae034a07bb

SHA1
d76081a7afb7ba20f5bda11ff9937823bab7beff

SHA256
5c5f52e5629eb83f2d5583f552d125fd63a1548f4c5bf893423828edb70e46d4

SHA512
8ff191d368cef1fe2d827e0e6a7a202ac4976684092d73236b4213e7630cec39dfec8d28e4ed284833edcca89a9eb45b464e35ba952ac272cd47714a7e29e549

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe

Filesize
520KB

MD5
cd44cfc15ad2f93bb34083d428904e03

SHA1
64efe6eefd4077b1bad8f726e106b027e0de728b

SHA256
58753a013acca43b4139c6fafc900747423ee9508de1754bc7687454e7dd540e

SHA512
971223a74aef1d6801f679eda06d3173b5e2788a45d487718ab22fe239b0c1cee2d66b932f5a375fb6fdc610998314aee7f119e158dc3afc87ad2913f89851b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe

Filesize
520KB

MD5
13213f63c0f62137e6be46d53a9faae1

SHA1
310bd768c7c4f0f95e440c945638004c177d6948

SHA256
9d529ebdbec0b460eecad077e1d63f24c8756dc4367a9b60f783582be01c4fff

SHA512
854b21109fa930bf3a5614c98836430594a0306fea9bbf2c70e2350b071ebd450e7a746bce86cb8f1dd52b2a8bf5b5ec8c43ba7b47964d183bc37d209192b27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe

Filesize
520KB

MD5
7414b1ecd54f56e4a6b9ee732226d188

SHA1
d4371c3cd6de6c04985f90db1ab74096c5acb944

SHA256
18e91963abf089a8076f2a4c37be55d606f3c373b8801118a3ba7e0aee68744c

SHA512
803bdc32883a30a0b8848a16a0ee9d65073d963a1ecdd48983d1f1d8ed16be9ebd5d2bd8208a8ecc5e99be0771a1cdc0d6b5061b969f2111a5e951e1f59c3808

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQPXLLMHGMIYLSC\service.exe

Filesize
520KB

MD5
71f5d40efc2b50d544019dcdbef2282c

SHA1
78d555d348bb9e9af00665c649061985eb76420d

SHA256
89b06ff7be893241753a8b92475300e638c7516dcbbfc0a94ca87cd0f0204dea

SHA512
5ff30a0ef4a63255e5636266764daa9ca4e7787653f95cbeedb84e868309bcd203a49293df039683bdaeafac604d5963ab86f73285e95c651a5818a450772939

Download Submit
memory/3420-834-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3420-835-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3420-840-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3420-841-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3420-843-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3420-844-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3420-845-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3420-847-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3420-848-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3420-849-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads