blackshades | 8d991ddc0fa5cc0bd0e936c8d93810365e44fd6f7d17c9f4c10a695d98f62f40

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12/03/2025, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d991ddc0fa5cc0bd0e936c8d93810365e44fd6f7d17c9f4c10a695d98f62f40.exe
Size

520KB
MD5

93d98dd9137c73dd110a48481a7d7a1d
SHA1

64b3ae0a791c50a0a6c77657514c47e8f435ae88
SHA256

8d991ddc0fa5cc0bd0e936c8d93810365e44fd6f7d17c9f4c10a695d98f62f40
SHA512

17da3514379de89a699d4d376855e7b0901d14b34e6c376ad627de3c4f1beffa5e023571afece8a2e8629dcdd86ada00e152314843bac3a55f3c0c319b5dcf87
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXb:zW6ncoyqOp6IsTl/mXb

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 6 IoCs

resource	yara_rule
behavioral1/memory/2712-1436-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2712-1441-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2712-1442-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2712-1444-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2712-1445-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2712-1446-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYQWOFPIHJWWES\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 58 IoCs

pid	Process
2268	service.exe
1888	service.exe
2000	service.exe
1568	service.exe
2300	service.exe
1900	service.exe
1588	service.exe
2428	service.exe
2492	service.exe
2744	service.exe
2792	service.exe
2336	service.exe
1912	service.exe
1108	service.exe
272	service.exe
1648	service.exe
1756	service.exe
2948	service.exe
2964	service.exe
2708	service.exe
792	service.exe
1904	service.exe
2096	service.exe
1616	service.exe
1604	service.exe
2472	service.exe
2888	service.exe
1020	service.exe
2016	service.exe
1964	service.exe
704	service.exe
2664	service.exe
860	service.exe
1496	service.exe
1884	service.exe
1392	service.exe
1472	service.exe
1800	service.exe
2972	service.exe
316	service.exe
1928	service.exe
3048	service.exe
1088	service.exe
1680	service.exe
2996	service.exe
2532	service.exe
2528	service.exe
2912	service.exe
2756	service.exe
2620	service.exe
1632	service.exe
112	service.exe
2192	service.exe
1088	service.exe
324	service.exe
1548	service.exe
2108	service.exe
2712	service.exe

Loads dropped DLL 64 IoCs

pid	Process
2876	8d991ddc0fa5cc0bd0e936c8d93810365e44fd6f7d17c9f4c10a695d98f62f40.exe
2876	8d991ddc0fa5cc0bd0e936c8d93810365e44fd6f7d17c9f4c10a695d98f62f40.exe
2268	service.exe
2268	service.exe
1888	service.exe
1888	service.exe
2000	service.exe
2000	service.exe
1568	service.exe
1568	service.exe
2300	service.exe
2300	service.exe
1900	service.exe
1900	service.exe
1588	service.exe
1588	service.exe
2428	service.exe
2428	service.exe
2492	service.exe
2492	service.exe
2744	service.exe
2744	service.exe
2792	service.exe
2792	service.exe
2336	service.exe
2336	service.exe
1912	service.exe
1912	service.exe
1108	service.exe
1108	service.exe
272	service.exe
272	service.exe
1648	service.exe
1648	service.exe
1756	service.exe
1756	service.exe
2948	service.exe
2948	service.exe
2964	service.exe
2964	service.exe
2708	service.exe
2708	service.exe
792	service.exe
792	service.exe
1904	service.exe
1904	service.exe
2096	service.exe
2096	service.exe
1616	service.exe
1616	service.exe
1604	service.exe
1604	service.exe
2472	service.exe
2472	service.exe
2888	service.exe
2888	service.exe
1020	service.exe
1020	service.exe
2016	service.exe
2016	service.exe
1964	service.exe
1964	service.exe
704	service.exe
704	service.exe

Adds Run key to start application 2 TTPs 57 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVUIJFDFVIQKPAM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCWYMRWCDBJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPCYKEJXGRYO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESOQUSVGLQDAPXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\TSEMEVNJEUNOYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPFQJHKWAXF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\QVGEIDLWBYTRAAU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HAPHYQMHCBRSPXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\PNRFJECTYRHHJEA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LOEWUDXMCIAQIGR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEAAVQELFKYHSPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPRVTWHMREBQYQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYXTUHNUUFYYNWJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENEWOKFYOPMVHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOJIKANVEPUERCB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRVHIFOAGLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MABWSNAWIXCHWXV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQLYOYSQTEJOBNV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\NJJVSPTOWLMELMU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTIHIECJEUHPJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\WJLGEGWKRALQBNY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLVDXNSXDECKDHW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWIGKFNBYCVTCCV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JBRAISOJDDSTQAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\CAEHSTPNPFSAJAU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWMNKTFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\RISOJSETDTURALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWUKUOMPAFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\TXUIUFEIWXJPWWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRQSNLSODRYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIIKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDIARIHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\IWVHQHQNIYRCSCR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKQHYPDOE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDMDVNJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYQWOFPIHJWWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACWTNBXIYDHXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSRTFJOBNVN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\EYDOLKOBFBPVNED = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRAYTJXEN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\JYWFFRXOMQLSHIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHXGOCCDYDUPCJE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\FESIWRPAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLDJQCCPVNVJTK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\HMJJURPTOWKLELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKKRGFGCAHCXSFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\GKYHHTPNRMUJKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFBVQEL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\CAEHSUPNQFTBJAV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDUMIDXNOLTFMQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\OFEOMLPCGCAQWOF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBYTSAYUKXAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\SRVIMIGWULKMHAE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYHQGLDULKAU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWSGSECGYYUVINU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPPQLJQMBPWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\UGDHCKWAXSQATIW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGYPMHBBQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOKIKANVEPUERCB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRWHIFOAGLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\XLMHFIYLSBNSCOA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAPTYFGDMEJX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\WTSWJNJHXVMLOJC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICBIRHMEVMALB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\IXYVEEQWNLPKRGH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGWFNBBCXCTOBID\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\IXYVEEQWNKOJRGH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGVFNBBCWCTOBID\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\LYFOXVGCNGHXQTV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XRKPWIICWADTPQL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\EINBMVMABWSNAWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRQSNLSNDRYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIFJEMBYCUSBCVK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIROJDDSTQLR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\JYWFGRXOMQLTHIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PHXGOCCDYDUPCJE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVRMVGWBGVWTDOU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSQTEJOBNVN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\VWJOVWHBPYLKXEV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWMWQORCHMLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAIARJFAQKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\SWTHTEDHYVWIOVW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQPRMKRNCQXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\CXCPFTOMRERTOHK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYOIBGNWNSKSGQH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\HXYVEEPWMKOJRFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGVFNBACWCSNBID\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\HWXVDEPVMKOJRFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NFVEMBABWBSNAIC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\BQROXJPUGEIDKWA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCHOYAAOTLTHR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\RNMGPXHDOIJSVWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXCEUQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\HVCLYUSCXJDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNGMTEFSYPXMWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\HMIJURPTOWKLELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRGFGBAGCXSFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\WAXLXIHLCNSLBBD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUUVQOVRGUCKB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\LIIUQOSNVKLDKLT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEGBGCXRFMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\WAXLXIHLYCMSKBB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUTVQOVQGUCKB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\QIROIYSDTDSTQLR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTKUNMOAEJXWI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\URFRCBFXWSTGMTT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCONOKIPKAOVEP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWKLGEHXKRBMRBO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMVEAYOSXEFCLDI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\EDOLKOCFBQVOEEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\PMAMXUASWRNPBHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJIKFDKFVJQK\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
604	reg.exe
2772	reg.exe
2088	reg.exe
2328	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2712	service.exe
Token: SeCreateTokenPrivilege	2712	service.exe
Token: SeAssignPrimaryTokenPrivilege	2712	service.exe
Token: SeLockMemoryPrivilege	2712	service.exe
Token: SeIncreaseQuotaPrivilege	2712	service.exe
Token: SeMachineAccountPrivilege	2712	service.exe
Token: SeTcbPrivilege	2712	service.exe
Token: SeSecurityPrivilege	2712	service.exe
Token: SeTakeOwnershipPrivilege	2712	service.exe
Token: SeLoadDriverPrivilege	2712	service.exe
Token: SeSystemProfilePrivilege	2712	service.exe
Token: SeSystemtimePrivilege	2712	service.exe
Token: SeProfSingleProcessPrivilege	2712	service.exe
Token: SeIncBasePriorityPrivilege	2712	service.exe
Token: SeCreatePagefilePrivilege	2712	service.exe
Token: SeCreatePermanentPrivilege	2712	service.exe
Token: SeBackupPrivilege	2712	service.exe
Token: SeRestorePrivilege	2712	service.exe
Token: SeShutdownPrivilege	2712	service.exe
Token: SeDebugPrivilege	2712	service.exe
Token: SeAuditPrivilege	2712	service.exe
Token: SeSystemEnvironmentPrivilege	2712	service.exe
Token: SeChangeNotifyPrivilege	2712	service.exe
Token: SeRemoteShutdownPrivilege	2712	service.exe
Token: SeUndockPrivilege	2712	service.exe
Token: SeSyncAgentPrivilege	2712	service.exe
Token: SeEnableDelegationPrivilege	2712	service.exe
Token: SeManageVolumePrivilege	2712	service.exe
Token: SeImpersonatePrivilege	2712	service.exe
Token: SeCreateGlobalPrivilege	2712	service.exe
Token: 31	2712	service.exe
Token: 32	2712	service.exe
Token: 33	2712	service.exe
Token: 34	2712	service.exe
Token: 35	2712	service.exe

Suspicious use of SetWindowsHookEx 61 IoCs

pid	Process
2876	8d991ddc0fa5cc0bd0e936c8d93810365e44fd6f7d17c9f4c10a695d98f62f40.exe
2268	service.exe
1888	service.exe
2000	service.exe
1568	service.exe
2300	service.exe
1900	service.exe
1588	service.exe
2428	service.exe
2492	service.exe
2744	service.exe
2792	service.exe
2336	service.exe
1912	service.exe
1108	service.exe
272	service.exe
1648	service.exe
1756	service.exe
2948	service.exe
2964	service.exe
2708	service.exe
792	service.exe
1904	service.exe
2096	service.exe
1616	service.exe
1604	service.exe
2472	service.exe
2888	service.exe
1020	service.exe
2016	service.exe
1964	service.exe
704	service.exe
2664	service.exe
860	service.exe
1496	service.exe
1884	service.exe
1392	service.exe
1472	service.exe
1800	service.exe
2972	service.exe
316	service.exe
1928	service.exe
3048	service.exe
1088	service.exe
1680	service.exe
2996	service.exe
2532	service.exe
2528	service.exe
2912	service.exe
2756	service.exe
2620	service.exe
1632	service.exe
112	service.exe
2192	service.exe
1088	service.exe
324	service.exe
1548	service.exe
2108	service.exe
2712	service.exe
2712	service.exe
2712	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2912	2876	8d991ddc0fa5cc0bd0e936c8d93810365e44fd6f7d17c9f4c10a695d98f62f40.exe	30
PID 2876 wrote to memory of 2912	2876	8d991ddc0fa5cc0bd0e936c8d93810365e44fd6f7d17c9f4c10a695d98f62f40.exe	30
PID 2876 wrote to memory of 2912	2876	8d991ddc0fa5cc0bd0e936c8d93810365e44fd6f7d17c9f4c10a695d98f62f40.exe	30
PID 2876 wrote to memory of 2912	2876	8d991ddc0fa5cc0bd0e936c8d93810365e44fd6f7d17c9f4c10a695d98f62f40.exe	30
PID 2912 wrote to memory of 2892	2912	cmd.exe	32
PID 2912 wrote to memory of 2892	2912	cmd.exe	32
PID 2912 wrote to memory of 2892	2912	cmd.exe	32
PID 2912 wrote to memory of 2892	2912	cmd.exe	32
PID 2876 wrote to memory of 2268	2876	8d991ddc0fa5cc0bd0e936c8d93810365e44fd6f7d17c9f4c10a695d98f62f40.exe	33
PID 2876 wrote to memory of 2268	2876	8d991ddc0fa5cc0bd0e936c8d93810365e44fd6f7d17c9f4c10a695d98f62f40.exe	33
PID 2876 wrote to memory of 2268	2876	8d991ddc0fa5cc0bd0e936c8d93810365e44fd6f7d17c9f4c10a695d98f62f40.exe	33
PID 2876 wrote to memory of 2268	2876	8d991ddc0fa5cc0bd0e936c8d93810365e44fd6f7d17c9f4c10a695d98f62f40.exe	33
PID 2268 wrote to memory of 2728	2268	service.exe	34
PID 2268 wrote to memory of 2728	2268	service.exe	34
PID 2268 wrote to memory of 2728	2268	service.exe	34
PID 2268 wrote to memory of 2728	2268	service.exe	34
PID 2728 wrote to memory of 1128	2728	cmd.exe	36
PID 2728 wrote to memory of 1128	2728	cmd.exe	36
PID 2728 wrote to memory of 1128	2728	cmd.exe	36
PID 2728 wrote to memory of 1128	2728	cmd.exe	36
PID 2268 wrote to memory of 1888	2268	service.exe	37
PID 2268 wrote to memory of 1888	2268	service.exe	37
PID 2268 wrote to memory of 1888	2268	service.exe	37
PID 2268 wrote to memory of 1888	2268	service.exe	37
PID 1888 wrote to memory of 2324	1888	service.exe	38
PID 1888 wrote to memory of 2324	1888	service.exe	38
PID 1888 wrote to memory of 2324	1888	service.exe	38
PID 1888 wrote to memory of 2324	1888	service.exe	38
PID 2324 wrote to memory of 536	2324	cmd.exe	40
PID 2324 wrote to memory of 536	2324	cmd.exe	40
PID 2324 wrote to memory of 536	2324	cmd.exe	40
PID 2324 wrote to memory of 536	2324	cmd.exe	40
PID 1888 wrote to memory of 2000	1888	service.exe	41
PID 1888 wrote to memory of 2000	1888	service.exe	41
PID 1888 wrote to memory of 2000	1888	service.exe	41
PID 1888 wrote to memory of 2000	1888	service.exe	41
PID 2000 wrote to memory of 2112	2000	service.exe	42
PID 2000 wrote to memory of 2112	2000	service.exe	42
PID 2000 wrote to memory of 2112	2000	service.exe	42
PID 2000 wrote to memory of 2112	2000	service.exe	42
PID 2112 wrote to memory of 1948	2112	cmd.exe	44
PID 2112 wrote to memory of 1948	2112	cmd.exe	44
PID 2112 wrote to memory of 1948	2112	cmd.exe	44
PID 2112 wrote to memory of 1948	2112	cmd.exe	44
PID 2000 wrote to memory of 1568	2000	service.exe	45
PID 2000 wrote to memory of 1568	2000	service.exe	45
PID 2000 wrote to memory of 1568	2000	service.exe	45
PID 2000 wrote to memory of 1568	2000	service.exe	45
PID 1568 wrote to memory of 1384	1568	service.exe	46
PID 1568 wrote to memory of 1384	1568	service.exe	46
PID 1568 wrote to memory of 1384	1568	service.exe	46
PID 1568 wrote to memory of 1384	1568	service.exe	46
PID 1384 wrote to memory of 1580	1384	cmd.exe	48
PID 1384 wrote to memory of 1580	1384	cmd.exe	48
PID 1384 wrote to memory of 1580	1384	cmd.exe	48
PID 1384 wrote to memory of 1580	1384	cmd.exe	48
PID 1568 wrote to memory of 2300	1568	service.exe	49
PID 1568 wrote to memory of 2300	1568	service.exe	49
PID 1568 wrote to memory of 2300	1568	service.exe	49
PID 1568 wrote to memory of 2300	1568	service.exe	49
PID 2300 wrote to memory of 1860	2300	service.exe	50
PID 2300 wrote to memory of 1860	2300	service.exe	50
PID 2300 wrote to memory of 1860	2300	service.exe	50
PID 2300 wrote to memory of 1860	2300	service.exe	50

C:\Users\Admin\AppData\Local\Temp\8d991ddc0fa5cc0bd0e936c8d93810365e44fd6f7d17c9f4c10a695d98f62f40.exe
"C:\Users\Admin\AppData\Local\Temp\8d991ddc0fa5cc0bd0e936c8d93810365e44fd6f7d17c9f4c10a695d98f62f40.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempQWMKO.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACWTNBXIYDHXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2892
- C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe
  "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempXUASW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJFDFVIQKPAM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:1128
- - C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe
    "C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempGBHVD.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EYDOLKOBFBPVNED" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:536
  - - C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe
      "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2000
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEYXMV.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "URFRCBFXWSTGMTT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCONOKIPKAOVEP\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1948
    - - C:\Users\Admin\AppData\Local\Temp\TSCONOKIPKAOVEP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TSCONOKIPKAOVEP\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1568
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEPWMK.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABWSNAWIXCHWXV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:1580
      - C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHIRMV.bat" "
        7⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFFRXOMQLSHIA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
        8⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSETDTURALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUPYPE.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMIJURPTOWKLELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJGOBH.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNMGPXHDOIJSVWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXCHWX.bat" "
        11⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EINBMVMABWSNAWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFTBON.bat" "
        12⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WAXLXIHLCNSLBBD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKB\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKB\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJWHGK.bat" "
        13⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSTPNPFSAJAU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIVCTL.bat" "
        14⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYXTUHNUUFYYNWJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempENEYC.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGDHCKWAXSQATIW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGYPMHBBQROXJP\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\GOGYPMHBBQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOGYPMHBBQROXJP\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPXPEM.bat" "
        16⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LIIUQOSNVKLDKLT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGCXRFMH\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGCXRFMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGCXRFMH\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMQLTH.bat" "
        17⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYKEJXGRYO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXO\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXO\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "
        18⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWKLGEHXKRBMRBO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMVEAYOSXEFCLDI\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\DMVEAYOSXEFCLDI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMVEAYOSXEFCLDI\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQQFOA.bat" "
        19⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NJJVSPTOWLMELMU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMUGNR.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEVNJEUNOYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPFQJHKWAXF\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\HDYRXPFQJHKWAXF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDYRXPFQJHKWAXF\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYGPGE.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WIFJEMBYCUSBCVK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIROJDDSTQLR\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\IBQAIROJDDSTQLR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBQAIROJDDSTQLR\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVBTXS.bat" "
        22⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WJLGEGWKRALQBNY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKDHW\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKDHW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKDHW\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempACPYL.bat" "
        23⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TXUIUFEIWXJPWWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIIKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBIWER.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDOLKOCFBQVOEEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe" /f
        26⤵
        Adds Run key to start application
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKNPYU.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIWRPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTK\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTK\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLYGPG.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWIGKFNBYCVTCCV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFXWST.bat" "
        28⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOKIKANVEPUERCB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXGHPL.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IXYVEEQWNKOJRGH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBBCWCTOBID\service.exe" /f
        30⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\NGVFNBBCWCTOBID\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NGVFNBBCWCTOBID\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFOKYX.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SRVIMIGWULKMHAE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYHQGLDULKAU\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\PSHBYHQGLDULKAU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSHBYHQGLDULKAU\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXCUYT.bat" "
        31⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XLMHFIYLSBNSCOA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDMEJX\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDMEJX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDMEJX\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
        32⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HVCLYUSCXJDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNGMTEFSYPXMWMI\service.exe" /f
        33⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\UNGMTEFSYPXMWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UNGMTEFSYPXMWMI\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGHENF.bat" "
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LYFOXVGCNGHXQTV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XRKPWIICWADTPQL\service.exe" /f
        34⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\XRKPWIICWADTPQL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XRKPWIICWADTPQL\service.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
        34⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMJJURPTOWKLELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHBPXK.bat" "
        35⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SWTHTEDHYVWIOVW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDESAO.bat" "
        36⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WAXLXIHLYCMSKBB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIIRMV.bat" "
        37⤵
        
        PID:272
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFGRXOMQLTHIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe" /f
        38⤵
        Adds Run key to start application
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLJNIQ.bat" "
        38⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVRMVGWBGVWTDOU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe" /f
        39⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNTFBL.bat" "
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VWJOVWHBPYLKXEV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWMWQORCHMLT\service.exe" /f
        40⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\AOKYWMWQORCHMLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AOKYWMWQORCHMLT\service.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFXWST.bat" "
        40⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJIKANVEPUERCB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLC\service.exe" /f
        41⤵
        Adds Run key to start application
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLC\service.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWHFJE.bat" "
        41⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QIROIYSDTDSTQLR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe" /f
        42⤵
        Adds Run key to start application
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJXFNE.bat" "
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVGEIDLWBYTRAAU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe" /f
        43⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJSOWO.bat" "
        43⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GKYHHTPNRMUJKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBVQEL\service.exe" /f
        44⤵
        Adds Run key to start application
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBVQEL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBVQEL\service.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFGPLY.bat" "
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTSWJNJHXVMLOJC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe"
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "
        45⤵
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSUPNQFTBJAV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTFMQ\service.exe" /f
        46⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTFMQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTFMQ\service.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCLHVU.bat" "
        46⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PNRFJECTYRHHJEA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQIGR\service.exe" /f
        47⤵
        Adds Run key to start application
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQIGR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQIGR\service.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "
        47⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CXCPFTOMRERTOHK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYOIBGNWNSKSGQH\service.exe" /f
        48⤵
        Adds Run key to start application
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\VYOIBGNWNSKSGQH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VYOIBGNWNSKSGQH\service.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
        48⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEPWMKOJRFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe" /f
        49⤵
        Adds Run key to start application
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe"
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLIQDJ.bat" "
        49⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIARJFAQKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe" /f
        50⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOXTSH.bat" "
        50⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMAMXUASWRNPBHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe" /f
        51⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYGHQL.bat" "
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IXYVEEQWNLPKRGH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe" /f
        52⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXGGPK.bat" "
        52⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXVDEPVMKOJRFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVEMBABWBSNAIC\service.exe" /f
        53⤵
        Adds Run key to start application
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\NFVEMBABWBSNAIC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NFVEMBABWBSNAIC\service.exe"
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVGAOX.bat" "
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGSECGYYUVINU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWF\service.exe" /f
        54⤵
        Adds Run key to start application
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWF\service.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEAAVQELFKYHSPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe" /f
        55⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEGBIW.bat" "
        55⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OFEOMLPCGCAQWOF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBYTSAYUKXAF\service.exe" /f
        56⤵
        Adds Run key to start application
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\JMYXBYTSAYUKXAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JMYXBYTSAYUKXAF\service.exe"
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSPYKQ.bat" "
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IWVHQHQNIYRCSCR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe" /f
        57⤵
        Adds Run key to start application
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXSQAT.bat" "
        57⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BQROXJPUGEIDKWA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHR\service.exe" /f
        58⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHR\service.exe"
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
        58⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe" /f
        59⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe
        59⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        61⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe:*:Enabled:Windows Messanger" /f
        60⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe:*:Enabled:Windows Messanger" /f
        61⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        60⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        61⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        60⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        61⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempACPYL.bat

Filesize
163B

MD5
adc9cac2427b8d4c731806d76ce77981

SHA1
0a8f79b1d799052be679f429e28c8ec61fbd4f99

SHA256
7cf13c1dff247593daa4667e2446ea1b686cf218a3b470fa8ead51d5eca0cdb2

SHA512
d083bbd4d449dde8fd966bd20b8ea4621763442de52188b016d55df3ded396a16d1b921e7278e80043cb741d81b7f2fc26ea9842d22ea5acb8cf635d4da3b5be

Download Submit
C:\Users\Admin\AppData\Local\TempBIWER.bat

Filesize
163B

MD5
c78a9c4a35ade4129cca9d1e9fd17d34

SHA1
bec85bc03f9797ec011767d39a60fd8a6912f417

SHA256
8cd75fc67979d0c3c56d6730ecc15e6c45ef6dab654666368196e5e97d1491ea

SHA512
d49cfec62ab739821ffe1b2bb947e5d29fa76810203c0e03784e267832c23a7449c192da90bc048474f15a34663b610733f4195462ade9298584a0538864e118

Download Submit
C:\Users\Admin\AppData\Local\TempCLHVU.bat

Filesize
163B

MD5
9ec09b590ade638472a4660af7cd7af5

SHA1
9eeb2c6c17167e424e625e759cd09bdd30b6ebfd

SHA256
800fd5d0c7ab61999cf249ec22dfe30f0c03646f562bc5d1259ff022b51236d1

SHA512
cfd0519be242856a52b5111c03446fcc26d2f24a62c9464780d66e20ad17fc3a255920cc6d4963b24ace1c47898cdf121a18201db27ba8320bf6eaada4273ed2

Download Submit
C:\Users\Admin\AppData\Local\TempDESAO.bat

Filesize
163B

MD5
5b8a64d8a40c0ee634f051917d11e111

SHA1
e803fb652a18a07cea05c4174de8361269e8193e

SHA256
0f7ddfe9ea42dc3c0b9769896b24b77eb92e5aa47ea797462d56e89242db8c22

SHA512
183d901404e67e2b839a50daa7de077716297d5c818407897c297dba7133d2c9ad15f74b75592140233a7e4ea2dd44fe6a69727ac02680ce585feb55503c3eae

Download Submit
C:\Users\Admin\AppData\Local\TempEGBIW.bat

Filesize
163B

MD5
83100d66f21ff678aa6d34e46ff65d32

SHA1
d66d06ab3e2516e5138b87c91d69eefa91b8445a

SHA256
e40003f1c42b60f8fb2fe6afceefe21ace7033b79f0d7889227629f31fda61d5

SHA512
f67f0d10e8d42cf8ff60206cc6473c3a7c39b2a8f930a7489b1b52231a272f3892574e76a09a1ebe15221849399ac64be8818e917d2f449a96d10efdb1f71e12

Download Submit
C:\Users\Admin\AppData\Local\TempENEYC.bat

Filesize
163B

MD5
ca608a2677cb8b8fc8d6b7d0147c4670

SHA1
f7fffdf40be672870e403daaf70020cc389a8f57

SHA256
977a3907f40c9fea2e70248541c26677aef506bbc8ad6dcaabdc18c287f41df6

SHA512
390d64b7f2a26fb0cb89a3a7097d5922b80b5d70c662ba566410ffd1977c59c2d7634c6cc4d52c273a702554a5b26bfedfc0d8f12d0f637103e71e5748c25765

Download Submit
C:\Users\Admin\AppData\Local\TempEPWMK.bat

Filesize
163B

MD5
6df101e5793392a3a4687cb3f0d05d43

SHA1
8bde684a4b0df6d745ccf82ac144b7f10552c5f0

SHA256
89213ed3a57910f62abb88be0afd10006ad3c0229991b8387f4d6a915970e9cc

SHA512
d918b19bf4e2ae9a0678321b6253aa4efec4b87d2248d3faa05e282fe1a85625f777df6bde8e6be7d92de6901528a29c97fba82027281fde1f7cefa2f827bea9

Download Submit
C:\Users\Admin\AppData\Local\TempEYXMV.bat

Filesize
163B

MD5
502355bc3a6cdf3113d94e77f0da4b3f

SHA1
01b720ca6512770e3bb1d082949f3d5e9a557ddf

SHA256
1ff69e5324fcd04e3e4c353a98844379f27c717706596457e91e01c6548dbbc8

SHA512
fa6d15cf9354b56f3d21ebcdd3444a4af491caa1cefa7a215a819e07322892daf45afd796187d017a973562b6d7683d09ba24f0ce1e1aa5499d21dfbb46ba94a

Download Submit
C:\Users\Admin\AppData\Local\TempFGPLY.bat

Filesize
163B

MD5
673f3201100fe8a257c12e36f4049a29

SHA1
f97afb1d3b91a839c87d2001b497351d2bf2f5ef

SHA256
4b736c214c6432ed6ec4c1b7c8ec97658fbd66a276b4b469e89b92fbf3721e26

SHA512
8ed78e8fc185d91af59d99ce418bbaf3e9079dcdccd1c38c0fe9574a4abfa6d0bb310084d07e2438261f6ba4d60d80b8286d94d763b3fe4c7ed902d9abd259b3

Download Submit
C:\Users\Admin\AppData\Local\TempFOKYX.bat

Filesize
163B

MD5
2c03983841b761156b9c170b2b6b5c80

SHA1
8f602b6960668ec9e666c2ffd725742de1534fd4

SHA256
4168dfc122e78b31ede5c01acb54ecfe51139f09d17584a16d5907e4714797be

SHA512
c6bb232f5b5e487301e34016a160c39e2c88d241d08ae36735848efb8fccb9038a9a3087e74275bfe0c60b83ee2c311238f04059a47594de2d7bc094980c78a2

Download Submit
C:\Users\Admin\AppData\Local\TempFTBON.bat

Filesize
163B

MD5
d3bf12dcf3fd84d6bc32c940cdabef6d

SHA1
c1fed0b2b56f493aedaf32524864a31d09e18e21

SHA256
2dcc25820295d82e1f5475159d409cd5292f77d23611e62019a617bb447bdebd

SHA512
c57bb72b0ce39ce5cc0d01ebd90351ab718b2d5a4c07fcd3cb624603d4c87fd6ed25d470f5eb8602bdfef3c20d2b48d3fcd37aeae808050930aa352e4a7301d9

Download Submit
C:\Users\Admin\AppData\Local\TempFXWST.bat

Filesize
163B

MD5
f5dddc8c8195b915447e8eca984daf4a

SHA1
92ac8e13c3544047b426c6a188f1e272801f7f73

SHA256
b06d5882fc6605999b1c1165924a3d714579131c568bf8042f795dacbeac91a4

SHA512
f2bb539fa5e023adfd3371e6623b7104a9339046af16b3bb64dd54ac15de7f4924414e2eeb5de51270df6e69f66a6a734e3955dc4edd2afe9299c6046921db77

Download Submit
C:\Users\Admin\AppData\Local\TempFXWST.bat

Filesize
163B

MD5
8d2610a28d3bef3ed5a29d46322e90ff

SHA1
f2ef7a6798399a3b2b003aea867509111306bb12

SHA256
07f66365b9910931022400eec457051b9c65c690492ba1fb9275b0d0b20eb041

SHA512
de374432a44d40a7f6883eb8765fe3ff2fc53221005acf148b4be088688abcbe4ee8deeb00b160d8b7ce66d5fd8c658a8c43fe25fc025e9848ba706d7b3a4726

Download Submit
C:\Users\Admin\AppData\Local\TempGBHVD.bat

Filesize
163B

MD5
a3fa5b704e9a07cf42f47adbe6790a64

SHA1
6e5722d42c852c2eaa08330707c69819d747b7bd

SHA256
11cc2c4ed9c99550bc3ef3705fda1f5d7deef3e1ac1fc274e2c8a1d5bd824a74

SHA512
18904941ddbe9bff83c10ab403f4dd4c81309fae4a01c57e2bf2a2413c96188cef27e5480bb8df8751104b9c4e3334e8c9cc2b4b73243dd7787eb5bce1653d6f

Download Submit
C:\Users\Admin\AppData\Local\TempGHENF.bat

Filesize
163B

MD5
d08312486c2363cde3608c7f6aae929b

SHA1
ea141ade6316b85c75e30747cca8780805dc95a6

SHA256
fd09e9f788123196f451932af63ba9561db558d825be10e882b7004183c5458a

SHA512
58b7b019b32b1958cba0cf8f2e0691d7c63769bcb98b3c6ffc982b1fd3783b9fcea8011be83bd5c660bacaae24710fddf547979f04d846da1f93a092d50f3e06

Download Submit
C:\Users\Admin\AppData\Local\TempHBPXK.bat

Filesize
163B

MD5
988a9a1dd2014ac865ad41e01c8aa11a

SHA1
4eed443a0fb6e5ef34014f004894de09c20ee7d2

SHA256
15d38228aeb7f96d7cc9762fffdcb10aff39bfb5101cac7fb1a7544fdf45c965

SHA512
b6c638e508cbebb357becca55393b47f8241c644b6c8af1810ed9fd47c26da7dd0d8e557c1376858e66054cabb658d0a81ccf6f88afc96f02e7e88468fb99e19

Download Submit
C:\Users\Admin\AppData\Local\TempHIRMV.bat

Filesize
163B

MD5
4cb76a20eec478a8667753e9471960c3

SHA1
3ad3469cce19bd8e64e4f666ddc44829d415e96e

SHA256
efbc80e411e269b84c0e03fa6a1f2cd9a67c76a4657cd675ada9e8d4f53686e7

SHA512
cf81a274faa72261f987e58e13478c760f45a36eb6197a1393bd18c02030adda872005a90452c902322ea62fe58c9d7243826a44f0b5d63ab9ee2c451d6c83e5

Download Submit
C:\Users\Admin\AppData\Local\TempIIRMV.bat

Filesize
163B

MD5
c29b65e2d961463ea3a891d4853c8097

SHA1
084ea68f1e7dfc34469a56f244daed956777d943

SHA256
f22fd4efc0bd3b02c6465be47f31ea9eb84691a0c71f87307045d0bac798177e

SHA512
d3d04f5f4fbb5e9d052777beb71aebd6a36a73510e0f53137c6dd91122dc0b3055ccb7bd9085b86c8c9058cf1e658c5cadc431fd46479c1aeb2cb366cb924a70

Download Submit
C:\Users\Admin\AppData\Local\TempIVCTL.bat

Filesize
163B

MD5
97dbdc68094ba8071f59b666be93c5be

SHA1
9c09f0b323dd029e420558dfe8cf7a30004f8fc3

SHA256
10c57e36fd4b4adf438520052e61f451a9e8713d4462e8165def9728bcf764ef

SHA512
3a1394c3b95b4695512f2d284cdf3ead36027809591e6b6606f847bc0747819c63436752c0322abcf44d6ff0a1a28c7fae10b36a19b73341a8c44a720f7a8180

Download Submit
C:\Users\Admin\AppData\Local\TempJGOBH.bat

Filesize
163B

MD5
f87d5c52eef43f4774ff1f3f5546abbd

SHA1
1f2d1221095c4a20ef510c93fed95eb39532bd5c

SHA256
77242b1505b2b7eee2f8283d34d521a7e434775dcdd5df622d77297bed8b1843

SHA512
1f0f1d1274f3b95a8e0532a573b909f501304f9c06191142193adec33bd2cef6b5cc4acdede95a2dfad4e21faf30363a7a7dea5f883e6d704e36a716da96a673

Download Submit
C:\Users\Admin\AppData\Local\TempJSOWO.bat

Filesize
163B

MD5
b0db7b0f95e58fb3f219df5a00c15a87

SHA1
e0e8938c85b4e46bbb0540310673f02a64b18fbe

SHA256
9d13398500fccb24e0540bd7b1aecd452e656b6fbc4d5f02b1ac9ae35f27f104

SHA512
b5291a8c6d2486dcb1f971f7aa2b462a03bcaa7c7b6a349fbdd0667cdca2929f39c342b44406a8dc5b7b811fd7b1f3ae8fc885265dc6ccba618f1256af83f091

Download Submit
C:\Users\Admin\AppData\Local\TempJWHGK.bat

Filesize
163B

MD5
cd7b73ecdab64dfabaa705c8175aa245

SHA1
f28fb8fca424755a0dbd828c77c6d0e583b9fdbf

SHA256
3c9928829d3e5d2b03d80be1301e08e77f42dbd1247665728c0751931459099e

SHA512
bdef52704c32326b0e08a96e910a650a3ee5c5e1ec956aa839bf49bbd0227d87fa540c466686a9616a0cd4e0e7ec55fded3efb66719ca6acf9fd9584e57f489d

Download Submit
C:\Users\Admin\AppData\Local\TempJXFNE.bat

Filesize
163B

MD5
fa14a2c5a22876e8a9aba9c4372871de

SHA1
c44ecc60cbdfbf628c80f6f3013fa756ae008cbb

SHA256
6308d6179a725dbd99c66bfbf6524f0159f1beaa28323025a24343dd19920d79

SHA512
4ee7997a77bd1d11f422d135f773475561b4587dcc08c39643bd3c5e23f31745ed710842e312f7129b5967e09a749bee092a1616a462f107afb4ccda4d1efa90

Download Submit
C:\Users\Admin\AppData\Local\TempKNPYU.bat

Filesize
163B

MD5
65d80185d1d4548405234138b5acc267

SHA1
4af7f8d250c2c333d93de9a3dd82ecf2fa82315f

SHA256
f0e91689dbed3dc6a62c155033cd81e4b8f27a27af2549836cfb2d2c2cc37a97

SHA512
be96ccab1e609125716ef0fb3d60b3f23caf2ad0014dc414b85ffbbea3792df2e7974553994985d8000e4a0d1349a0c7c20e5315a19d406c82a1b74676a2224d

Download Submit
C:\Users\Admin\AppData\Local\TempKWHGK.bat

Filesize
163B

MD5
50641c9d5b7166bcf781c6adc7e2b1dc

SHA1
26d56ddb82923857198d1d69de8f3d9b0e60853a

SHA256
d8f73203064b13864fb4b902821f2864a13489b951b282c231ce8f40e906c029

SHA512
8779e6610bdd3d9b937150d5fe31899ad3f6a81b9dbd73300bd384f99807dad7b3ed2e557c2b467b00aed932f0b89d76b8256cd71c03e4b9ad38595b867300f5

Download Submit
C:\Users\Admin\AppData\Local\TempLHVUG.bat

Filesize
163B

MD5
a515bc85e1b4f9ba95cb97104cb9e641

SHA1
86c7b6c22a58f81de6ec366578dc0b949ad9b5f5

SHA256
ae49603f7e9ccf92ffb8a7dd10a0c5dc6b657e56770dc40421289cfa4128fcb3

SHA512
0a788e7af48cefc9e7f865826b635318837549e9f68c1d13e24ba4ac29563c36dcd4d397df5bc73026ec57f0655aeb4b2b9740758e1216c2498a0c6898c4dd79

Download Submit
C:\Users\Admin\AppData\Local\TempLIQDJ.bat

Filesize
163B

MD5
fd2e1ac873abdcf75d414027ffc438af

SHA1
031fc7c7a45c88e0122241cbb6d2d8f5be1a12be

SHA256
397ccbb85835159e8a38e447cc96082365901a66ed882919641a6c6f114c60cb

SHA512
9565732efe62cca6179aa42fd6c403ca1b333a63c2cda04478a9589fa67b48efd2369961ab01fc7fc8710f078a52f402d621772650e1eb185816adbfc327d4b9

Download Submit
C:\Users\Admin\AppData\Local\TempLJNIQ.bat

Filesize
163B

MD5
944f9dd9606843c2f7d10ccce55242b9

SHA1
a4f7092d70a573548bb2e599bef31c7929792dd4

SHA256
c316a48ca94a61b4e3bc8a74dd06b3b64af723257da3860246b00c5cbe07e23e

SHA512
1599e1adfad07174a851523515f0efce3edb37c35ca35c798579345c5f97338a69656d0f286304e27d0ed18b423ccca825c1830467d163b0d62ed6c3737ae201

Download Submit
C:\Users\Admin\AppData\Local\TempLYGPG.bat

Filesize
163B

MD5
2538190c6062703177adfabf523b9e75

SHA1
85c7ead20672b32c7efdfc2a759c252cd82bac7e

SHA256
16f5e79997c3314eb05c63dfb750478c20bf0f0b485544e73fb8521214643c42

SHA512
3e99bbd7c635083eb18b1f53f4abcee43429493725ce6cc4b557a7fbf8f6fc0a61315e85701b42ce2f52f16c60cf48bb5dfea3b5061db8c54fc79276fd67d846

Download Submit
C:\Users\Admin\AppData\Local\TempMQLTH.bat

Filesize
163B

MD5
15efeb5154e9c7d559ee07f765723eab

SHA1
d643850419f1105a1c01e48702bd7de886ff58f0

SHA256
07119d8d655cd6fe43703b3b54bf0b6d16b4144f92c6445693f82bfef2ec44f5

SHA512
a6fb44fd5a84d23849d0208bbd5e34ed1f951cb1e0eb38f27cb92426522d767a39bb7fd4cdecbaabc44ae249638b975535f5cdf466ac56461dbaf3178448f5c7

Download Submit
C:\Users\Admin\AppData\Local\TempMUGNR.bat

Filesize
163B

MD5
e65890858f7fb8dad52e80356b191005

SHA1
2c6e3801a0cc15203581fe5fef35fbe2883edc74

SHA256
54f999d041ba8ca3afddfbe7d58063ea4c3b83fd7463b3216b5e7b0aaa20336d

SHA512
0e8e3164328b88513002fd82fb81dfea8e91e3e08e1f80fbbd47e395409ac56c6ee2847bbdead49d0cceaa33231c415ee570a30ccf90b047e1b44212296f35fd

Download Submit
C:\Users\Admin\AppData\Local\TempMVREB.bat

Filesize
163B

MD5
abf690e164624393c1ecd73a68b37838

SHA1
ca1889540908da3e0d10057c1eff7707d47fd8e5

SHA256
7630111c6a201dc176c6280a768fbf8d398ed9c2c583bf64e2ea9e820a6a9ffa

SHA512
fdfe4b2613cd43509316ee13d2e8ae9f923f5029d296e8c776e6a919a1d57dbbd53219f356b85cb8c4173ecd9d8ab33142ef8b6c73a3d72da195c18b82d81b6e

Download Submit
C:\Users\Admin\AppData\Local\TempNTFBL.bat

Filesize
163B

MD5
5d07a37a76a3e5be694deeebc565ef8a

SHA1
00bf97f5ee3a78796d880851844351c65d76bd5b

SHA256
d63faa41ee41c8aff538d8da296e937771ea563173a8c1fd511b93492ad196d8

SHA512
a56b536032efbd43a3cc1220327ec850b3d033d76ae147fedd7c8906ab55324b3bd1f56c6d28398afaacc9070382c56eee60d60314f982dd4cf988e888767310

Download Submit
C:\Users\Admin\AppData\Local\TempOXTSH.bat

Filesize
163B

MD5
f7bfb453faab979096f675bbba881d5e

SHA1
0018fd00202db197fd7efdb7d17749bae0f863f8

SHA256
282a1d54c280c2510264d7957caa67f6eb563107017bded592a55c3d5fcb6a15

SHA512
be71e8a29234d0de31003c30af92dac7986d192c5a41197c7b6159f4428bb94be89ac777e15322e8d7e11930dc7adfd24fd2ce001884599113a8149f5f87f7e0

Download Submit
C:\Users\Admin\AppData\Local\TempPXPEM.bat

Filesize
163B

MD5
c555f738a1395597dcd10beb32c3881c

SHA1
448c4a9c35d20414cf5837753756d6958563b2a8

SHA256
23045f2e15f269270a2ba75bc34f1402bb9248666b1eb79147d9e980764b025a

SHA512
872a44f204e6eb597178cc2f01e3cd5c95398403f6f2faa13c19fd474175d44d0c0b3b8f4a8a0bd822f29a8e5632a1046671bd06dffd7d391fa1ec5e2806dc5f

Download Submit
C:\Users\Admin\AppData\Local\TempQQFOA.bat

Filesize
163B

MD5
1d1d3a7b15acc3077be149c3e1cf102c

SHA1
ddc8f06ab4fa74b3ef67bc9d85eaa4892f0828c4

SHA256
491701bab7b93a4ebf62ccc19eaa66c1458555b42af28417231467b9fa138a5e

SHA512
7c2c519d7f93da24049bc70a9e734aa55c4d4d18575ced033122682e3e692eb9a2005c845aac6a3e7e549258650b070194333af68f6dab68c9448a9f55c7daa1

Download Submit
C:\Users\Admin\AppData\Local\TempQRWDE.bat

Filesize
163B

MD5
6476e464821e7bd5ab5e6843e547b881

SHA1
46a7c08dd62b3f56b9450c8e44a3891b141cba4c

SHA256
6462f250f491d1b17086acde8076a181ed970fceb0117b68b86960c64759a574

SHA512
1e36d164ec7c8c690b8f7c29400b3cdfc830e842577d16c3669e68b83a13a506ac9cdcbda9a6582ec4e7f649b063f7713ba5e0811850014263ce16eca68ebe7b

Download Submit
C:\Users\Admin\AppData\Local\TempQWMKO.bat

Filesize
163B

MD5
a043f02835dad303c1429240508802b7

SHA1
5ee62658090a5de3b0829dad0c403e8064c17492

SHA256
9e77587d0c213e0ec3e88a597ebb55b96bc0c32759a5e8307cb2c21fb5b428ea

SHA512
12d045af37c149a50d14903f735713a412b0279a20b7ec647b4f2deed409640983136d6423dec8f377cae717d88cb2e83bf4d8d0eba6c92abb4cfc035c50043f

Download Submit
C:\Users\Admin\AppData\Local\TempRMUIJ.bat

Filesize
163B

MD5
e26e4d74d222826bd0617e3f35bb1420

SHA1
2bbecb46be2793f93adad4b6f6086fe7f9138965

SHA256
c149b633701a1c6332102530627c9648896f0debd8dc57eeeac83f52f31aa5e7

SHA512
41adad3b9a813b3167550d9f88900e7789efb28811590ac7ea749560faa413b47d3a02c99e7be078ca9ff9c8a1ae3a5cfb3c524157b0218fb558557d8d815189

Download Submit
C:\Users\Admin\AppData\Local\TempSPYKQ.bat

Filesize
163B

MD5
a7cf1c5e4d4f68010170b215b632d0e7

SHA1
a2c12c736736523d37014d16e55b094b47302a52

SHA256
c5c5f38e72300ac0d8ec739ba578e4feccf774bc247648ef09cd24e4d8e053ba

SHA512
1f5eb41f39d99203e1669633aa0a6920136faa906f4893cb7d5195ab03d9ce0cfdc771e6ea81823261887e22ac1d600077d2e6099303b25c07203a7792c72b11

Download Submit
C:\Users\Admin\AppData\Local\TempUGMRD.bat

Filesize
163B

MD5
b22132539dd436d0b5e7e9332b303beb

SHA1
816341d0d9bcc592a70cbf867c7ffc44b75c0544

SHA256
1f83c1c4e9fe62a8c51b5a794de6ea2a1b46fd3caa7e303c13b398f4c75a3058

SHA512
31ac6658660f0ac369b201e3ce563658ef64a9b1f53307be642acf7efa1c88ddd6ee9208a5a3c2136a60c5717eb63f4ff11d66e1df1ff932a26253493e0c47b1

Download Submit
C:\Users\Admin\AppData\Local\TempUPYPE.bat

Filesize
163B

MD5
e5c64e21857cb1515aa4e0909a84bf12

SHA1
421a7cd46da5cfcb8d2f6daea5d9a160afd8480a

SHA256
71d13c4c08aaa4805329d6749afff7d04725791179e51edd962176579a6a6585

SHA512
5d9b9aae2a73c788b8fa913060c654ff2a8676383c0ad82176ed231d064938668ae423ed4c5ee2f7e27ecfd3c10ffc1cef6ae99f2670b32d5315f527750ff6e8

Download Submit
C:\Users\Admin\AppData\Local\TempUQYPE.bat

Filesize
163B

MD5
001fda6fb81f59f183629491e07d6ea5

SHA1
887172a96b984ce68a23ad449c1bee0ccc89b206

SHA256
17b05c2bfa9a136278b1df9bdf7f8549ccca141d2e1dbf7d385386d3da0f7e49

SHA512
308218b3a94a67cb0c4f3a96e79a9210cb02bbc4458ce6603dacf72d2d21a6580d15496e8b26565f82bcc144cabdad17cf1649eb9e277a7b4b4fff0ff6723fde

Download Submit
C:\Users\Admin\AppData\Local\TempVBTXS.bat

Filesize
163B

MD5
859f6b4123f22d60f3a760d640eb4ed4

SHA1
78b6665614dfba9bf5f244cbbf5159b483f42246

SHA256
2ddea9cd9ef023380c942a60060b5461cfcb8906c1cc4fd4c9991cff0039f9c9

SHA512
812f1ae09183f5fdbecfcefad94574e1bf97a0fd95bd762e270411063003363963f9714679cf563b9a8b1c8a480801c10f69938a97b13b6a88dc1af7673d1c2e

Download Submit
C:\Users\Admin\AppData\Local\TempVGAOX.bat

Filesize
163B

MD5
c2a4762e032cbbe793d4bc3802349b03

SHA1
a267ba061ff095b053a2db506c206783b8d35160

SHA256
8d3d719e2acdbbd0d8aabf115abb5249b263b539a0f1370a24f7c32d39568391

SHA512
4f27c5af33eae2f129b5560034d134c9e5eacb389378eb0ff5daa7eaec7e35d7ad28d0fedac064334e2a528fe310c45386aeecf5b65954d68924ea9eb74e0be1

Download Submit
C:\Users\Admin\AppData\Local\TempWCUYT.bat

Filesize
163B

MD5
37d8942a5ffcb254da56c1cd09b6dbb1

SHA1
7675d4b9064da26c2f4b8caa977a6b486071b367

SHA256
442bfbedb2c1887a9a772b7fdc5a054cb086151bcd66bfadc8deee2cd8369cd7

SHA512
c257781d935a2474813176dcec7a7f60616ddce6a1956dec158a1763c16eee624d8b336007d2fafd7715f7a45bf7a2bbbb3652d9228dbfa8c0c04027e1d43324

Download Submit
C:\Users\Admin\AppData\Local\TempWHFJE.bat

Filesize
163B

MD5
82086cc8d2750f1b783943ca38bcd790

SHA1
2f7360e8be2a30cec417c7b0bce14b24a4e06266

SHA256
e77ca514bd70bb91f22065f8445a30f1d2e24e347ae2d9880d489ccd1f621137

SHA512
f38ab1e1e887778ff86c4ce7570d7f047bbde5e08a5f96d638195ef9cdfc65bdf28f100822d33bd11152970386ce623cf50abbc6b82082ad0e13d9d74639f7f3

Download Submit
C:\Users\Admin\AppData\Local\TempWIGKF.bat

Filesize
163B

MD5
cee52e867eea3e6cb11cacb1454673bb

SHA1
d5caf048426777e248db7e47e96f69528e4356b3

SHA256
fb395866dd130573a86c20bcb009d21c8d66abd8480a12802ed16be4a29a1582

SHA512
9fb572a40499b863fce21c793d720878e8db6c7198fb9383b22709a84cd08bede1dbfef8aa1241010e0226e6597d28bc8dfacc36b93ba1b6561d15e6893da827

Download Submit
C:\Users\Admin\AppData\Local\TempXCHWX.bat

Filesize
163B

MD5
0a0b80f800044d9cff419319145efce0

SHA1
1127912ea506bd953ec3e93f39926fbfc00010c0

SHA256
e7f9bb169104179aac538e883f52880b89ee5438058936e2d3bef1b922fa92b9

SHA512
1b679fe1b41dac679184b2823130cf273b23eefb3ea3b6ea152c6329a88fab12fc4c68eae2874be8ec797eaf7bd7c88efa1fb5cdc43c13ba24aeb53531b33d89

Download Submit
C:\Users\Admin\AppData\Local\TempXCUYT.bat

Filesize
163B

MD5
20b0fedf3f7c7c5aacb998b2aefd1679

SHA1
ff149c1a326e91f4df97856ab25898af0645a1cd

SHA256
d8b6cc07bb7d51bad9d9b74d1228fb27ffe31a19435985ef41ffb973982e3da8

SHA512
b16f4af4a0aba27fe7637c967e6800de7dd43b3e691e32350948b041a022cdad82f5dde6de13fc66488845a5b5b4d0834d3d75cf1101c8bc08ee4a923a926159

Download Submit
C:\Users\Admin\AppData\Local\TempXGGPK.bat

Filesize
163B

MD5
32f63558ee9087a5d8b20684627375cc

SHA1
ee4ba4c3b912c31739d939dc897c226198a83044

SHA256
9662dff2b6f07d515fc4ca9e17103054fd6b06f3bde0322b35a13d969818394a

SHA512
38bf4c16127c04eeaa48f4ae37c0b80f427903e96e760913072e7a11d1a7bc12b05166b62b89265c3b19eea0b818d9d15839be3e8c847a3eb346448ce75ecc26

Download Submit
C:\Users\Admin\AppData\Local\TempXGGPL.bat

Filesize
163B

MD5
73d09bb55e140368f9494677b120c41e

SHA1
1e7f26699f36aa9e3bfecf62e39a566c6005f5d1

SHA256
3afc85474bf15cde25f95b7c1587590d8ee24a2765ca15131da34a40c3b2d3bf

SHA512
ad4aecdda96e6ad1719c966def5391f5a0e1964633f21cd200cefd3b7b2aed28d968ea72ba94c1ccc7fb6bb6a145097cee9a7d0f69257710513a3fc854b7be7f

Download Submit
C:\Users\Admin\AppData\Local\TempXGHPL.bat

Filesize
163B

MD5
670a9869a4aa2ce03f4b7d700677baa2

SHA1
5a830d5c58f6bbc634716e504e98fe8ac352e147

SHA256
95ba1c07c5b19b284f23b129bdb5b8d368a7b57b106a7d3cea71a79604370a5a

SHA512
bb1451bba02e2ee9526cc70d31d690ba72fefca84983afdf6a22a1f29f970a50181dea9735241e57c1ad64c9e90feaaee43db5f6ba7441e2a37c1a4cd7ab0605

Download Submit
C:\Users\Admin\AppData\Local\TempXSQAT.bat

Filesize
163B

MD5
21392e5c013e556cfd346997e545a272

SHA1
3bc1f1eca862dcce29fe43efb68e0551cf3971f7

SHA256
231e196dae5842a678f04babe08996b99099540bfd5e1d4c31a84d044570c237

SHA512
3da2003a759b7e344d28f144aa6d4f29176819d555e4032858ef415e2a62ab464141940d457a22d5f45b959301ddf0a7fc1be63de3412d27ab91b6e84f4f899c

Download Submit
C:\Users\Admin\AppData\Local\TempXUASW.bat

Filesize
163B

MD5
bf1648cbc7b072f01b385e4f36b746d3

SHA1
f8ae6fb2f449fefde2aebe6053ebe7d300e4873a

SHA256
06f98a403093fab8c8eb5582b0bb2d6edb62eddebcc61f9e5f8e7e2ce3c5d33a

SHA512
2bd04cf45ac1fc42f8808780e88f9fe28aa9e1c93cd73fb7a2e8a6ba5f06cdc8fcad449753a14152005ec627072b31f196c69cd87452033b847ad2f74b770add

Download Submit
C:\Users\Admin\AppData\Local\TempYGHQL.bat

Filesize
163B

MD5
2b8deb0667dfe429ce39ef9eebbdf9a4

SHA1
67f6fd313dc8f3ca57b6c9c2b2f2da8b737f7214

SHA256
f75ce084bf721bda52af7d80b4616808b5a39c00492a14348e021e73fcdd3b14

SHA512
6f5b82cf626fdb0230b3995a4642d24628e6985c3aec4daf1102f5c055b6652ca3630b97e9b3f4c91d7f00fdceb37050d8d5a10a3505a97aa74a9b09c10e188a

Download Submit
C:\Users\Admin\AppData\Local\TempYGPGE.bat

Filesize
163B

MD5
7c500fd4d50609ced78333eaadda4777

SHA1
c046358ef816e600b74df1374e95af65dea29151

SHA256
2029b94c19e1fe1c8a0c7a304fa81fae5e06aba193c8a988865ebcaa73c9e66b

SHA512
7f38a4cc15279a695c03ea459ed81ddabebe6e7f88372d6d778df10e68a84a23522c30aacfb6a3d3ec3203212d396814c1549a7e397d11ce66056975ea582b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe

Filesize
520KB

MD5
a2717b0e4fb0e997bee3271230f5cc3d

SHA1
647812003a2586dff3da7a216baefcbd1d39c807

SHA256
3323b871c46b17a5d50b4c1b56033ceb9327ed8f166dfe3333a6da1cfff46e45

SHA512
6a9adf65057f3458b0a0ac146ceaf43cfee41dee1138157d94116470b75a2176c20a73a9b6755c39990ca2dc64fb2bef7bf7f3f1af5d76ac7861d0da31f1883c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe

Filesize
520KB

MD5
fd28cb7a0c64b0eae5ffc4fc8b6019b0

SHA1
2eb296ee6d92c30dfad2747df5e3923ba798940e

SHA256
ca7b9ec2943d2bbe6229f4d16a2fddef1e7c5772a368d674c2a27bb3c5d8dfb4

SHA512
5f194057d57352d453a7a3c5a52c1619f45268bc290d3031d6d18174767914d77f0b7aba964cc249263d532a50d68c2155f48ea66f65c052dd11569a6c8122a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe

Filesize
520KB

MD5
cfa3136744b86f38892fca6acb032903

SHA1
dfc50325cd78400e3325a81cfc630d9cf5867b47

SHA256
affa30451e402dc22972fbdaec8c328f0ac20be246b0f99f8a49d181aba0c64a

SHA512
bf2238e17bd455d06adf4680ca54c33fc89096ea1a26549ed3deb4bffdd761435dbe32f0be0650498544bdb3c550ac1fe40c7d1e6a8d5e909ca8bfca4434564f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKB\service.exe

Filesize
520KB

MD5
2093a2f8a73da320610d2aee9b581370

SHA1
bea35b2b7dc76fe9799e6b55038d02a01871642e

SHA256
ef6fdb570e50fdbbc074b809724c5a672a3cc35802165570fb061b1174d9731b

SHA512
a23044fd3c6b64cb55c4768a3f9728f72668bbcd24cc3f719fa6437756c5302e7129b4f790b89b42dfbe28562d0353676291aa1650ebef232af9f1def199ef2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe

Filesize
520KB

MD5
49d761e0fd12e0de87f64d150c226e81

SHA1
bb5e2931e730eda60f9e17591d49ac80902f51eb

SHA256
641efa3c91fcb6e02fe96be1ee145ed9997c2ccabccad4dda4cbb27e1e8f8ce9

SHA512
c2bb3099d9cc9652494d92c79200993316afc99c8a360ff74f3db2e0fa830ab4a206999db291ebab56562c1778fea57d9910afa24e0c0efcda7a16df3f5c1a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe

Filesize
520KB

MD5
19d8d94c9ae2dfb556f24d533ac8fbdb

SHA1
0e214214f6e7b03516614f5735d0bd8202119e20

SHA256
49314ec7aeca01853418d8e5fd57912beaa8b8ae6d138a695f06d1841477821a

SHA512
26cb15db51ea2c0d454af3c79e791e2ea7076e25bd42ae3fb9dc2af86586cbdff165a3515d673059b5b8bb68af6ba275c2293cf99d18b6e7616d7ed696fe0691

Download Submit
C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe

Filesize
520KB

MD5
3105c6324599348b82398698620f58a3

SHA1
564c289da72848af7ad830f0264457de2642c6c4

SHA256
0dd51c7498c31477fba08007326c0457a081562ab7b0fec3f9b9837956471031

SHA512
04a64da0aea430c5db44807651584c1cee807793e90b5ff3c57cdc45ae9078c77a54edc1246e02e4176ed8e06843699a055cd1e86baa70c8f8555e425ab4e5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe

Filesize
520KB

MD5
e92816c9a32b25984bfc8925f06aefcc

SHA1
484a6c81f5f04a8fc4ff7b750d43397b377ad67f

SHA256
fea4247e3bf47a2d6315b8088c1b19fb28027250c30c746516df63cafe4f29bf

SHA512
559e8ce26103800d702eca3e36dca584049cad82f7c0fef1803246d8966b29ac0e9c3688b1019ea92df6b0664865b26682bf8baa43d0ff98883d5069fb637e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSCONOKIPKAOVEP\service.exe

Filesize
520KB

MD5
ee95d9a47535aab862ffd774932eff8c

SHA1
c764ced58840ee760ffd7ec8a6a9725c5bbb28eb

SHA256
71156bfad160d35b86763048f9e69e185b683d23dd0c20547567773f8728a03a

SHA512
fc27c93138c780372ccb0c6d90669a9e30dd353b7271539f4b4cb75a3c0b33745f26ed8c9b0fc133511791045e43da4712da79cade246a8aea7eb807c8f95943

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe

Filesize
520KB

MD5
ad2dbff38328050c37a3a86e145e6c76

SHA1
96867921138c1f85c310f1e6f096e78652aa7a21

SHA256
555d568ceca3ce3bd6648d2af91b9ae40c19c49b7e4510ad19eaabe20f57f18c

SHA512
3f9849e8b2f241c8e76ffe2a0ed1f26c68dbb1cd5d317ded44905afb8c9a3338cc5a6e35595dbafa4cf14887a8b533a32e5280c1b60e40e6a706a57937f957b6

Download Submit
\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe

Filesize
520KB

MD5
f34ecca5d58cc503268e1d95c5df3b13

SHA1
d9b3162c0a993354b10bf567d46bb9f0302da0fd

SHA256
46e404213a6e63f14ec87fbfe0edbb6221b3f4357c8d29fae58e26c0860ad932

SHA512
e1f28a6bca77855b1c02aa18a2af1a7a858e789e579e57f9e70722ff16d36a91b579324daf747ddd4394c9d41314e3ed9bb4e0972acf5767481f622988719941

Download Submit
\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe

Filesize
520KB

MD5
acffe6ef02afc431f777ee9638eed67b

SHA1
482fdba7f2b1ccec1334737909a85a50750e231f

SHA256
3b3ec3488793779b88cf9fb389fc51ac8f2e04f14db618b06efc8c5821285e4f

SHA512
f941ad6cf3d97f97cb479948ea43ab06896313c8032a34f4165545fd962f87053987ed8f05adf858980fa6a69e35682055ac98962981e2e5a5ab06330655f746

Download Submit
\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe

Filesize
520KB

MD5
f6a911db17609e226415895f3ce9f74c

SHA1
0537c2e277d7c165c4cfcc7cbc82e2881b26924b

SHA256
9761e339c898142bb26b8f388e779ed123f4b79921e06d53106d6ebfc5fa57bb

SHA512
964820924887fa19950783a10e85364201f646603f838e61248943b64ec3f9745c588642086b3250cf4d146ee70bf3d0ee964c862966e84e28930a03c1b9803c

Download Submit
memory/2712-1436-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2712-1441-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2712-1442-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2712-1444-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2712-1445-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2712-1446-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads