blackshades | c971fede1f7b61cf4557e87438e8288b5602dab692aee1dd16d342060a104e03

Analysis

max time kernel
148s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2025, 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c971fede1f7b61cf4557e87438e8288b5602dab692aee1dd16d342060a104e03.exe
Size

520KB
MD5

2de5efe46120e70100410c2bb383bb3a
SHA1

6b1e5c5f4468d79c7f0c03176b0cbaf8fb58709e
SHA256

c971fede1f7b61cf4557e87438e8288b5602dab692aee1dd16d342060a104e03
SHA512

27ea257432b89dc53fa57b583cd150dab8220a5dbafd26d7f83e608ef77650c622195ad1df8e662ac5288a76ac441fc2c2e095d86b84e7e9d0b8e164e65a61ed
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXv:zW6ncoyqOp6IsTl/mXv

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 6 IoCs

resource	yara_rule
behavioral2/memory/2508-1266-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2508-1267-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2508-1272-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2508-1275-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2508-1276-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2508-1277-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKPWIICWADTPQ\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Checks computer location settings 2 TTPs 50 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	c971fede1f7b61cf4557e87438e8288b5602dab692aee1dd16d342060a104e03.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 51 IoCs

pid	Process
4396	service.exe
2948	service.exe
2960	service.exe
4532	service.exe
2024	service.exe
3764	service.exe
1760	service.exe
2808	service.exe
2700	service.exe
320	service.exe
3576	service.exe
4884	service.exe
3528	service.exe
840	service.exe
4416	service.exe
3692	service.exe
4624	service.exe
4512	service.exe
1876	service.exe
4024	service.exe
2548	service.exe
2028	service.exe
2020	service.exe
2292	service.exe
2140	service.exe
4156	service.exe
3528	service.exe
2560	service.exe
3712	service.exe
5104	service.exe
2628	service.exe
2140	service.exe
5044	service.exe
1800	service.exe
5092	service.exe
2908	service.exe
3980	service.exe
1172	service.exe
1044	service.exe
4408	service.exe
3752	service.exe
1560	service.exe
3648	service.exe
4728	service.exe
3556	service.exe
3328	service.exe
2548	service.exe
2492	service.exe
4940	service.exe
2020	service.exe
2508	service.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WVJKFEGWJQALQAN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLYUDXNRXDEBKCH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IGRPNSFJECTYRHH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPPQLJQMBPWG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XUTXKAOKIYWNMPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSINFWNBMC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PUBCHAFTTGIDBET = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQAYMMNIHNJMTDO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UGOGXPLGWQBQAQR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPIOVGHAUBRNYOK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WTRVQYMNAGNNWSR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERXOWKVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLYFOYVGCNGHXQU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKPWIICWADTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OQLJLBPWFRVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESXJKHPBIMAD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MABWSNAWIXCHXXV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQLYOYSQTEJOBNV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSXJGKFNCDVTCDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSPKEETURAA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ONHRYIFPJKTWXJK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKBLEYDFVSSA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UTHIDCEUHPJOLWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJWSBVXLPVBCIAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MIJURPTOVKLDKLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFFGBGCXSFMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NMQEHDBRXQGGIDA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYDVTCWLBHPGFQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HXYVEEPWMKOJRFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NFVEMBABWCSNAIC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NREIECSYQHGJEAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LODWUDWMCHQHGQO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MBVRMAVHWBGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXNYRPSDINAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NROCOWCUYTQRDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMIXLSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOSECGBJUWRPRHV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LOEWUDXMCIQHGRO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QERCAFXWSTGLSTE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNNOJHOKNUEPU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRNBNWBTYTPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKKLGELHXKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ITYUIVGEJWXAKPX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGGHCAHDYTGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GTAJXTQBVIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFKRDDRWOWKULH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WBYMYJIMDNTLCBE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GYJVUVRPWRHUCLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MGPXHDOHISVWIJG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AKXTBWYMQVCDAJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IYWFFRXNLPKSHIY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNHAFMVMRJRFPG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GUTFNFWOKFVPAQP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTYAQYMXN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WSQUPXLNFMMVRQF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMEKRDDQWOWKUKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FABWRELGLYITQOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GTPSWUWIMRFCRQE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MNIGJMTDOTDQBYE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOXGCQUGHENFKAY\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FGBCXRFMHMIUROS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUQTWVXJNSAFDRR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UTFNFXOLFVPAQAP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LDTCKUQLFAFUVSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GUUIJECFUIPKPLX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBWYMQVCDAIB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JIVCLVSDXKDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RTJDBISINFWNBLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KYXJRISOJSETDST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASLQXJJDXBEUQR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GYQMHXQBRBQROXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTSISLKMCHVUGP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JOTAGDSRFGCACXS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OFDOMKPCGBQVOEE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JLXXBYTRAYUJXAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNSDBFAIUVQORGU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNDVTCWLBHPHFQO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPLJYOAOQLEHISN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTXVYJNTAGDSR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UGEIDKWAXSRATJW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPGYQMHBBQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JITQPTGKGEUSJJL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRQSNLSNDRYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RWHFJEMAXCUSBBV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIRNIDCSTQYL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HWXUDEPVMKOJRFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKPHYPDOE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LHFVUKKMHADEOJX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRMPTRUFJPCOWNB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJDXDUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSXPXLWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KQVHEIELAXBYTRA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORGAXGPFKCTKJUR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VLMJSEKPBDFRSNM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAYTRAYTJXFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWLKLHFMHXKSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UHJECFUIPKOLXTR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVOMPAFKYXJ\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2020 set thread context of 2508	2020	service.exe	304

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2920	reg.exe
4584	reg.exe
2180	reg.exe
2756	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2508	service.exe
Token: SeCreateTokenPrivilege	2508	service.exe
Token: SeAssignPrimaryTokenPrivilege	2508	service.exe
Token: SeLockMemoryPrivilege	2508	service.exe
Token: SeIncreaseQuotaPrivilege	2508	service.exe
Token: SeMachineAccountPrivilege	2508	service.exe
Token: SeTcbPrivilege	2508	service.exe
Token: SeSecurityPrivilege	2508	service.exe
Token: SeTakeOwnershipPrivilege	2508	service.exe
Token: SeLoadDriverPrivilege	2508	service.exe
Token: SeSystemProfilePrivilege	2508	service.exe
Token: SeSystemtimePrivilege	2508	service.exe
Token: SeProfSingleProcessPrivilege	2508	service.exe
Token: SeIncBasePriorityPrivilege	2508	service.exe
Token: SeCreatePagefilePrivilege	2508	service.exe
Token: SeCreatePermanentPrivilege	2508	service.exe
Token: SeBackupPrivilege	2508	service.exe
Token: SeRestorePrivilege	2508	service.exe
Token: SeShutdownPrivilege	2508	service.exe
Token: SeDebugPrivilege	2508	service.exe
Token: SeAuditPrivilege	2508	service.exe
Token: SeSystemEnvironmentPrivilege	2508	service.exe
Token: SeChangeNotifyPrivilege	2508	service.exe
Token: SeRemoteShutdownPrivilege	2508	service.exe
Token: SeUndockPrivilege	2508	service.exe
Token: SeSyncAgentPrivilege	2508	service.exe
Token: SeEnableDelegationPrivilege	2508	service.exe
Token: SeManageVolumePrivilege	2508	service.exe
Token: SeImpersonatePrivilege	2508	service.exe
Token: SeCreateGlobalPrivilege	2508	service.exe
Token: 31	2508	service.exe
Token: 32	2508	service.exe
Token: 33	2508	service.exe
Token: 34	2508	service.exe
Token: 35	2508	service.exe

Suspicious use of SetWindowsHookEx 54 IoCs

pid	Process
4668	c971fede1f7b61cf4557e87438e8288b5602dab692aee1dd16d342060a104e03.exe
4396	service.exe
2948	service.exe
2960	service.exe
4532	service.exe
2024	service.exe
3764	service.exe
1760	service.exe
2808	service.exe
2700	service.exe
320	service.exe
3576	service.exe
4884	service.exe
3528	service.exe
840	service.exe
4416	service.exe
3692	service.exe
4624	service.exe
4512	service.exe
1876	service.exe
4024	service.exe
2548	service.exe
2028	service.exe
2020	service.exe
2292	service.exe
2140	service.exe
4156	service.exe
3528	service.exe
2560	service.exe
3712	service.exe
5104	service.exe
2628	service.exe
2140	service.exe
5044	service.exe
1800	service.exe
5092	service.exe
2908	service.exe
3980	service.exe
1172	service.exe
1044	service.exe
4408	service.exe
3752	service.exe
1560	service.exe
3648	service.exe
4728	service.exe
3556	service.exe
3328	service.exe
2548	service.exe
2492	service.exe
4940	service.exe
2020	service.exe
2508	service.exe
2508	service.exe
2508	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 1568	4668	c971fede1f7b61cf4557e87438e8288b5602dab692aee1dd16d342060a104e03.exe	87
PID 4668 wrote to memory of 1568	4668	c971fede1f7b61cf4557e87438e8288b5602dab692aee1dd16d342060a104e03.exe	87
PID 4668 wrote to memory of 1568	4668	c971fede1f7b61cf4557e87438e8288b5602dab692aee1dd16d342060a104e03.exe	87
PID 1568 wrote to memory of 784	1568	cmd.exe	89
PID 1568 wrote to memory of 784	1568	cmd.exe	89
PID 1568 wrote to memory of 784	1568	cmd.exe	89
PID 4668 wrote to memory of 4396	4668	c971fede1f7b61cf4557e87438e8288b5602dab692aee1dd16d342060a104e03.exe	90
PID 4668 wrote to memory of 4396	4668	c971fede1f7b61cf4557e87438e8288b5602dab692aee1dd16d342060a104e03.exe	90
PID 4668 wrote to memory of 4396	4668	c971fede1f7b61cf4557e87438e8288b5602dab692aee1dd16d342060a104e03.exe	90
PID 4396 wrote to memory of 3980	4396	service.exe	91
PID 4396 wrote to memory of 3980	4396	service.exe	91
PID 4396 wrote to memory of 3980	4396	service.exe	91
PID 3980 wrote to memory of 5092	3980	cmd.exe	93
PID 3980 wrote to memory of 5092	3980	cmd.exe	93
PID 3980 wrote to memory of 5092	3980	cmd.exe	93
PID 4396 wrote to memory of 2948	4396	service.exe	96
PID 4396 wrote to memory of 2948	4396	service.exe	96
PID 4396 wrote to memory of 2948	4396	service.exe	96
PID 2948 wrote to memory of 436	2948	service.exe	99
PID 2948 wrote to memory of 436	2948	service.exe	99
PID 2948 wrote to memory of 436	2948	service.exe	99
PID 436 wrote to memory of 4124	436	cmd.exe	101
PID 436 wrote to memory of 4124	436	cmd.exe	101
PID 436 wrote to memory of 4124	436	cmd.exe	101
PID 2948 wrote to memory of 2960	2948	service.exe	102
PID 2948 wrote to memory of 2960	2948	service.exe	102
PID 2948 wrote to memory of 2960	2948	service.exe	102
PID 2960 wrote to memory of 4252	2960	service.exe	103
PID 2960 wrote to memory of 4252	2960	service.exe	103
PID 2960 wrote to memory of 4252	2960	service.exe	103
PID 4252 wrote to memory of 2000	4252	cmd.exe	105
PID 4252 wrote to memory of 2000	4252	cmd.exe	105
PID 4252 wrote to memory of 2000	4252	cmd.exe	105
PID 2960 wrote to memory of 4532	2960	service.exe	107
PID 2960 wrote to memory of 4532	2960	service.exe	107
PID 2960 wrote to memory of 4532	2960	service.exe	107
PID 4532 wrote to memory of 2984	4532	service.exe	108
PID 4532 wrote to memory of 2984	4532	service.exe	108
PID 4532 wrote to memory of 2984	4532	service.exe	108
PID 2984 wrote to memory of 4436	2984	cmd.exe	110
PID 2984 wrote to memory of 4436	2984	cmd.exe	110
PID 2984 wrote to memory of 4436	2984	cmd.exe	110
PID 4532 wrote to memory of 2024	4532	service.exe	111
PID 4532 wrote to memory of 2024	4532	service.exe	111
PID 4532 wrote to memory of 2024	4532	service.exe	111
PID 2024 wrote to memory of 812	2024	service.exe	112
PID 2024 wrote to memory of 812	2024	service.exe	112
PID 2024 wrote to memory of 812	2024	service.exe	112
PID 812 wrote to memory of 3320	812	cmd.exe	115
PID 812 wrote to memory of 3320	812	cmd.exe	115
PID 812 wrote to memory of 3320	812	cmd.exe	115
PID 2024 wrote to memory of 3764	2024	service.exe	117
PID 2024 wrote to memory of 3764	2024	service.exe	117
PID 2024 wrote to memory of 3764	2024	service.exe	117
PID 3764 wrote to memory of 4612	3764	service.exe	118
PID 3764 wrote to memory of 4612	3764	service.exe	118
PID 3764 wrote to memory of 4612	3764	service.exe	118
PID 4612 wrote to memory of 4388	4612	cmd.exe	120
PID 4612 wrote to memory of 4388	4612	cmd.exe	120
PID 4612 wrote to memory of 4388	4612	cmd.exe	120
PID 3764 wrote to memory of 1760	3764	service.exe	121
PID 3764 wrote to memory of 1760	3764	service.exe	121
PID 3764 wrote to memory of 1760	3764	service.exe	121
PID 1760 wrote to memory of 2880	1760	service.exe	122

C:\Users\Admin\AppData\Local\Temp\c971fede1f7b61cf4557e87438e8288b5602dab692aee1dd16d342060a104e03.exe
"C:\Users\Admin\AppData\Local\Temp\c971fede1f7b61cf4557e87438e8288b5602dab692aee1dd16d342060a104e03.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQNWIO.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UTFNFXOLFVPAQAP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LDTCKUQLFAFUVSB\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:784
- C:\Users\Admin\AppData\Local\Temp\LDTCKUQLFAFUVSB\service.exe
  "C:\Users\Admin\AppData\Local\Temp\LDTCKUQLFAFUVSB\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBMVMG.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CPLJYOAOQLEHISN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:5092
- - C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe
    "C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:436
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJLBPWFRVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:4124
  - - C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe
      "C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOAHLC.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4252
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MGPXHDOHISVWIJG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:2000
    - - C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempURVQY.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GUUIJECFUIPKPLX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:4436
      - C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEPWMK.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABWSNAWIXCHXXV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHHQM.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IYWFFRXNLPKSHIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempENEYC.bat" "
        9⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGEIDKWAXSRATJW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGCDNI.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JITQPTGKGEUSJJL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQNWIO.bat" "
        11⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GUTFNFWOKFVPAQP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRCVVJ.bat" "
        12⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NROCOWCUYTQRDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRSXEE.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JIVCLVSDXKDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RTJDBISINFWNBLC\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\RTJDBISINFWNBLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RTJDBISINFWNBLC\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDLCXA.bat" "
        14⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOSECGBJUWRPRHV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIQHGRO\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIQHGRO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIQHGRO\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQALRW.bat" "
        15⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYXJRISOJSETDST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYVBTX.bat" "
        16⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WVJKFEGWJQALQAN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRVQYM.bat" "
        17⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UTHIDCEUHPJOLWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKYGOF.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWHFJEMAXCUSBBV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYPEN.bat" "
        19⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIJURPTOVKLDKLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOBXWA.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WSQUPXLNFMMVRQF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMEKRDDQWOWKUKG\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\SMEKRDDQWOWKUKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMEKRDDQWOWKUKG\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPUGEI.bat" "
        21⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYQMHXQBRBQROXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFNHMJ.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JOTAGDSRFGCACXS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYXFGP.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDEPVMKOJRFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNVJKK.bat" "
        24⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FABWRELGLYITQOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSWUWIMRFCRQE\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\GTPSWUWIMRFCRQE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GTPSWUWIMRFCRQE\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJEACL.bat" "
        25⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IGRPNSFJECTYRHH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXXMVI.bat" "
        26⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QERCAFXWSTGLSTE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWJRIC.bat" "
        27⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LHFVUKKMHADEOJX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFJPCOWNB\service.exe" /f
        28⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\DRMPTRUFJPCOWNB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFJPCOWNB\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJDXDUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBUJXF.bat" "
        29⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KQVHEIELAXBYTRA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBIWE.bat" "
        30⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OFDOMKPCGBQVOEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JLXXBYTRAYUJXAF\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\JLXXBYTRAYUJXAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JLXXBYTRAYUJXAF\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQYBUU.bat" "
        31⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBNWBTYTPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOERYI.bat" "
        32⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VLMJSEKPBDFRSNM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe" /f
        33⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "
        33⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKAOKIYWNMPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe" /f
        34⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKYFTS.bat" "
        34⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMQEHDBRXQGGIDA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe" /f
        35⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCKBWL.bat" "
        35⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HNSDBFAIUVQORGU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLBHPHFQO\service.exe" /f
        36⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\KNDVTCWLBHPHFQO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLBHPHFQO\service.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "
        36⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MNIGJMTDOTDQBYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOXGCQUGHENFKAY\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\FOXGCQUGHENFKAY\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOXGCQUGHENFKAY\service.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLHQHF.bat" "
        37⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJGKFNCDVTCDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSPKEETURAA\service.exe" /f
        38⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\JCRBJSPKEETURAA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JCRBJSPKEETURAA\service.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXIACQ.bat" "
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ITYUIVGEJWXAKPX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEPWMKOJRFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe" /f
        40⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
        40⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe" /f
        41⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "
        41⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIECSYQHGJEAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCHQHGQO\service.exe" /f
        42⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\LODWUDWMCHQHGQO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCHQHGQO\service.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNVKKL.bat" "
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGBCXRFMHMIUROS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe" /f
        43⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHQCIN.bat" "
        43⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONHRYIFPJKTWXJK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe" /f
        44⤵
        Adds Run key to start application
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHOJOK.bat" "
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PUBCHAFTTGIDBET" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLOQVB.bat" "
        45⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULH\service.exe" /f
        46⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULH\service.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOVLJN.bat" "
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAVHWBGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe" /f
        47⤵
        Adds Run key to start application
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFTBPO.bat" "
        47⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WBYMYJIMDNTLCBE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe" /f
        48⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOWJPU.bat" "
        48⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGOGXPLGWQBQAQR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe" /f
        49⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGPCYX.bat" "
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTRVQYMNAGNNWSR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe" /f
        50⤵
        Adds Run key to start application
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVQYNN.bat" "
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UHJECFUIPKOLXTR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe" /f
        51⤵
        Adds Run key to start application
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHHFN.bat" "
        51⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYVGCNGHXQU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe" /f
        52⤵
        Adds Run key to start application
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        53⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        54⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe:*:Enabled:Windows Messanger" /f
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe:*:Enabled:Windows Messanger" /f
        54⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        53⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        54⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        54⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAHHQM.txt

Filesize
163B

MD5
6b2a31d14e01878b6c008dde73293e77

SHA1
a4e78ea27e55104bb480cd3b4cf117bfa048271a

SHA256
5402caa05826e6722f997fe2d7076d500e77ee61c63207f0f092a85534efd54f

SHA512
eaccb2f71f6c41a87db901a7f9c42d36847ee2b65a5c16a7406af6832e1aeaec2584f0808575cb63c42ff18ae2a024b3d403397ac3fc70c445f3948defeb448e

Download Submit
C:\Users\Admin\AppData\Local\TempBMVMG.txt

Filesize
163B

MD5
75a513769fbf394a42e3ff76e5b0fe44

SHA1
402a33d97e15cd2cf5d2bd0dea5563a021ca87ea

SHA256
0382ab21df3efaca7344080cb635cb7225991dc9f33b841bb8852d00c454c6c9

SHA512
76864c060534b5c7b52ccc1129d3ea2b4dc206c26eb5d4292edad822179702d265cb57c7bdb71c730bdf0e8fb03a364bc5d2408c222f1fa396aa2ab2a39ca7ec

Download Submit
C:\Users\Admin\AppData\Local\TempBUJXF.txt

Filesize
163B

MD5
9bfba16ead066711980a3ec7a6813306

SHA1
9aa9b2c2a6cfdb55cde785cfc79cc4a7e0dc697d

SHA256
58752886f85770c0379e2fbd0e01428667de915c620241f8cc8462f3bcf8e205

SHA512
8259ceabaf6d2ecb24398e7b66f63fbd3cf9a7f1167cd5390e91fcd4b8938603eaef690b92676ff15eb001bc029967f15c014807f2ddacc8d7087d71dd20b24d

Download Submit
C:\Users\Admin\AppData\Local\TempCKBWL.txt

Filesize
163B

MD5
85e39707c7bfd1e7fba24a46d00f065e

SHA1
89dcde09b5aed482929ea19ae19c9dcb3bd001e0

SHA256
7508bb9effeb0b21d83668aa949ec7a12dee048968ae49cb7527dd8bb2347d83

SHA512
b4b682745aca981a073916ab38a260eadfdb99ccd6172c5106b77a9c1f8badfcade2542f38a4c9899c2b097cf82cbe2dbbf6873cd5c02c23f64ad81fc452d4c5

Download Submit
C:\Users\Admin\AppData\Local\TempDGHQM.txt

Filesize
163B

MD5
c1e9cc859b16b9aaf13c7abbc8695e56

SHA1
fb49c82be270cefd43f9154a833d9f1fd2b811dd

SHA256
fd1db65b4c055373a0a760d16e5e68b96b8d83802200465c0c07a43eb6050027

SHA512
dd2803c4bb852df4f419bfd558036ab6503de0b5883719540b71b7d134fd9eae0e1d3fd61add84ae9203c08af3f3483d18e23c122af0f408e5382b0b831d2114

Download Submit
C:\Users\Admin\AppData\Local\TempDLCXA.txt

Filesize
163B

MD5
01a7132fa95aa82270f197e65741613d

SHA1
417134f6ef605f8e6e48f76904ee7a90316b4e8d

SHA256
54f0d3de266e5c06bb55959f7c4031024d52802cda3cfa4df3ec5dbd13f889fa

SHA512
ac38523dfec3fd7466a37d78a494dd1f8a35e671485e4da2d4eab9467d4ffa1abfe3b1ac5fb4d406ba7c168a612e77f2b9a269877d3528c71dc04c954fc1bdc8

Download Submit
C:\Users\Admin\AppData\Local\TempENEYC.txt

Filesize
163B

MD5
42cbb906a357b23e88eeb5ff28f96129

SHA1
1615507daf3bb0185f426cce62510498779ad003

SHA256
fb04957debeee10eb6d671599f04687240537aafad8950ea7f3b2f59f7956034

SHA512
39d63695e07872510758ee89e3ab1f0ae680d778a67224ebc5d2e139506bfc2db9fa723ff2414cb9891a647be933d739daeb003d951be97af73e31151643ac8c

Download Submit
C:\Users\Admin\AppData\Local\TempEPWMK.txt

Filesize
163B

MD5
82ea3acb38f2cddfe0ce0a4dd3625967

SHA1
e3641c25d35e256d5ec5a27a79a6621d80a71984

SHA256
2cf61e9f1e595b875e68fe8d259ac62d04905307547afc0ebaca0393ead904a1

SHA512
ddcd21f510d02586ad67c3cb21d1485d2340d933cc69e0ac37b2c587de5f646b663775aef3a41dae24ac47cda8eed18d74c8f7a92af158678030bf948c413daa

Download Submit
C:\Users\Admin\AppData\Local\TempFNHMJ.txt

Filesize
163B

MD5
3a2c2f5c4d422a4cb319e898b6cd4ea7

SHA1
98575b182b11701de1dab0e9519d9c8112445944

SHA256
5be4f29a6ce8e9c81b1ac690e085a0b7ef5980b03edcf1638fab9fd31bbfb9b7

SHA512
0b6fd6d674271df91b3698e4e2a0b95edb2e9de04817110e427bb423c10a4a9f2c56ae3e445bdfde17efae6bc1096f1e5e1f4585949faf1cc875e5c927df0894

Download Submit
C:\Users\Admin\AppData\Local\TempFTBPO.txt

Filesize
163B

MD5
64e82d44726a5cc42e0da402aa7d1c71

SHA1
1d7ed7aad35f5df4882dc51ebf375bbf75985b26

SHA256
01ba5cbb44018a66d203ceb283f165c05deea2798817e92f51f4574b9a350145

SHA512
01a581225709a8d0964d9b6387ebdcf65b8f33b3de2322e2d8a0d93f15536350f7c32736a84f29d15b3398d5b93f55a0a4eedab9217c8f068b1bfaabd5f20dd5

Download Submit
C:\Users\Admin\AppData\Local\TempGBIWE.txt

Filesize
163B

MD5
c1ad6491bf9a0758c8478dd947272820

SHA1
868dd3b44713e258a13561f5a9f63f3ada5cdf8f

SHA256
f0e58666a6a2df00e5f07d8c9aa8a8e80bc769d6680bafd1d08dabf6e0823dc8

SHA512
bb734187075a24022eacd01a72e08695c4bba74b06ede069a654fd0c63f28ec27ae52612bcb477540f967f03181600f62b5ccea06491db126b5b69661ce80fc2

Download Submit
C:\Users\Admin\AppData\Local\TempGCDNI.txt

Filesize
163B

MD5
b802c3dba71f778fcb94dbbea36f173f

SHA1
2fe996a77dcd923cbb33c3808c054970952a9df2

SHA256
52f71776fc41cb9bef02203d5150a0c816443387acad64f7921c404080b1626c

SHA512
6eca8714e71feab7e429b8837b05e0e51d86f77f4af5cebbf91608ce7282c82ca1fc16c1405effa518d22d005d0edfa95cfe44a0f3cb88826488f210eda7acd1

Download Submit
C:\Users\Admin\AppData\Local\TempGPCYX.txt

Filesize
163B

MD5
58a53eb54333aee9220bce9203fe480c

SHA1
eef2cf8df9e7b489c6f65c1ba1f6ddae46c754f5

SHA256
0ea79542f505dd3cf4275f63a7c4b96f26895e219aa99253a552facaa7e0ee94

SHA512
ca6c4fe76311243182d751824a0d33d99a5505d0c073eae51266e645cabcf5b3537ad40f2ecad97e570449ea8b4b8779c37ac4bcef0d53ba2454ab8e946dd279

Download Submit
C:\Users\Admin\AppData\Local\TempGYXTU.txt

Filesize
163B

MD5
077975505ee313d4d0f5595fc6eb7155

SHA1
4744ed31f9d8fd37b77625e24c415c98e78676bc

SHA256
21b75430c8b79e9ff7d13b3fa09f99870a5c47655d6a627624ef09cfe94a269a

SHA512
f4f3f1a0fb493a99b27fadcc00201ff92311563f272eb7ddc1455b7293004feb2f14d9db9cf140e42b473ff136bd725ae952866a07bc9ce899eb98cff0fe7f8e

Download Submit
C:\Users\Admin\AppData\Local\TempHOJOK.txt

Filesize
163B

MD5
2ab9e10e9c6fcd3a0144608de8622c78

SHA1
232b370b933c1958a000c03bb014866e34ce21e4

SHA256
3b56fc87eef0b5830b2d3ee635c849c78de8d8f35d0837514a1a13a98d6e1cfe

SHA512
06d50c5de7f38a9151af1e9e8587b0cf8a1fc4a989a6289ae46a05cb968674de7bef019ee7ed7c62f45c80790f5a8b170bcf1921f4f0b72dfcce86b1c41b6538

Download Submit
C:\Users\Admin\AppData\Local\TempHQCIN.txt

Filesize
163B

MD5
4f8e2eb175512bbf2f4fcac496593d63

SHA1
462a3cfe0bba8a1c439dd568b5e8014ad39dd58a

SHA256
af46c409447714c8112f5d2dcbab67e29f528e068fa3c4bbc0a0e9ef79041b75

SHA512
0e5cfad7ac2fbef753f9b88590c4a84dea8cb9277392ec9dab9905055884c07f32ac4e73e57bad871b6139d84f9bdbcdd0a3b2b4e8794efeb700501a087f73bb

Download Submit
C:\Users\Admin\AppData\Local\TempJEACL.txt

Filesize
163B

MD5
321b5a7f6b8a304ed8d6a01a2d5fa226

SHA1
8a10411a858758a96184d6dbc869076a53a8d0b7

SHA256
2c7d129edbbeb60fd8b8018ca6923a2c38ca7466ae7324d6b74ea67effdc214b

SHA512
51aabc5b28f48aeeafd2470b1d1c980745985fcd18f23ff17fa762004650bd6a0cc0c6867bf96719cd75a379e7fb240f327f513c70794b8d2479c84cdeb8ade9

Download Submit
C:\Users\Admin\AppData\Local\TempKYFTS.txt

Filesize
163B

MD5
690f8e1fe78fb35d19895ff4c14be58c

SHA1
923732cbadadd9b7aa59b9047946fa4be5273eaf

SHA256
297f69e446f2add408d9ba82c741c84db82723f0b03ecd4af7226eca08c1428b

SHA512
1c8c64d18671d86b9a89667825066fe40eaee6c796a0b49dc34069316303df6096e11f9ae1c3cbe21d568c15961207e304699ca594bdbec16c18540a441ab4e9

Download Submit
C:\Users\Admin\AppData\Local\TempKYGOF.txt

Filesize
163B

MD5
e639a21732428a6804f84269cff210cd

SHA1
029a2178793c32275f5ff798a606aa958b6396be

SHA256
a33e500abb1f551387331580df3838caaca99741115a5710465a72313477ee81

SHA512
43e6c1d60fe8a0645cb25ef78d6d57f94e536c5e9e0cca277ece4b6d98f4cfaf2ca5f7eec5f2ba5bfd5a7043eed64bb27d9659c51df828a4abe89be5ff01215f

Download Submit
C:\Users\Admin\AppData\Local\TempKYGUT.txt

Filesize
163B

MD5
0a7ee4880156ac1cced7bf84c4438e63

SHA1
b9b00c8e76d6f3e4d27bb2ca9fd94c5c65916f16

SHA256
7cb2e5532f99868606ddf711205ca3b80ec7427683ee4809eff0b92b732417dc

SHA512
3e40f160dea8017d09491c70f4bd0cd383a4b76e885535f6464727cb9252b55fc8d7db27d55fbb93183f96f105999621d73c578bf82d1fe233673dfc4abc7b0a

Download Submit
C:\Users\Admin\AppData\Local\TempLHQHF.txt

Filesize
163B

MD5
01361e448fb9a41a1e49254e9437ee17

SHA1
be909cb5aa1abff3737c7b45608c382975fd0764

SHA256
9b03d07fe07dae6a2e681b223f2863a3c24865c6c1f04502723b2a50f0051009

SHA512
60f5c7af41f2c8519f1499f0d0952362236c0d1372201994cf3675ca16524a0daa5f15f30ddfe8e10ecfa11a2fd1d6ba8736851a66a8be4143f6bbcb68f08346

Download Submit
C:\Users\Admin\AppData\Local\TempLOQVB.txt

Filesize
163B

MD5
5f03c17191959612e6bf0978090d281f

SHA1
d1a3a1c55f0205a157b7e2937ed34ff4190d8fbe

SHA256
cb703a76099495b5a7492268f5fcbaede3f7c5889aea7891e60fdc4249ca2831

SHA512
f33fe7482a8f2bb96d3afd58169a8f47caaab7c62be5776c2cd1d9c8df6c36d4b007d5ff11bdecf83b1e742c4d15a0cf10359aa08c257cf3fa94c2fe0a0f2662

Download Submit
C:\Users\Admin\AppData\Local\TempNVJKK.txt

Filesize
163B

MD5
89007f253845713ff9aa044500cb18ea

SHA1
278d7a2fa17687aa07a465600f912d4995d9c015

SHA256
71b8efc7a118c1469e71393c7b79a2a34ad7154b744e809196d2bcb95febbd1c

SHA512
13ef599c6e4291032940a66fe42444e77c2327adb980340b332eb9c16046c0362a9bdc4bb2a519721079f953f9ea831c52592b5adc2c0eceb816b6b5dcf94f3e

Download Submit
C:\Users\Admin\AppData\Local\TempNVKKL.txt

Filesize
163B

MD5
325222794cbf30d7f991f417718647eb

SHA1
d1c28ffdca281acb02354cf1966d003197debc18

SHA256
05a8aebf3d87321dce211468bac119022c0d8dec9633b95b9c86a74b23d71008

SHA512
3dcd87e82e145b8a718fb3a919053837bca9b2c838fa43ed96ddff6e6763321e1d7ea8a8619f8facbdcaf663fb525ee04a6a6017b0607fe8679a306fb3dcd2cd

Download Submit
C:\Users\Admin\AppData\Local\TempOAHLC.txt

Filesize
163B

MD5
e204e214d40ecda9f95fea00f175ecda

SHA1
305556a4099858d2930fc34fcf91632082575b47

SHA256
04c2b3c8b95e913643fd103c03848cb4e111bc3767b884dda5e51dc0beb4c6cf

SHA512
49f71ed422e24fb8f4cfcf481e118324f839ab891acacc847b2a1611e1b5fc47ae110f8d8936ba55dd76eb9d6a642efa163e1c1565d2de8188a20ea465d5c938

Download Submit
C:\Users\Admin\AppData\Local\TempOBXWA.txt

Filesize
163B

MD5
6cf7ca9ff02413cf704f6f509094b23e

SHA1
612a4232270c3a020e75088857eda5f2d44bdc5e

SHA256
3c733bf121574e4c17501a91ab4ba934a6663ad503a15a1d4b9a2ecb968cffa8

SHA512
19d622992675cbbb0746b525be5154a70a6c1b5f73fa46128c39c6f1b0cedffa726f58b7c9ae036881a56bb875c840bf6120dc31acb622ab3b9a6587b878d193

Download Submit
C:\Users\Admin\AppData\Local\TempOERYI.txt

Filesize
163B

MD5
6f21c126a6efcdf32ae286a059d444e1

SHA1
321f29ad5e279a03530fe0d0a31b5e85f43695d9

SHA256
934af1c0a16f8b1c908878194c3f8ca19922aa90c19c2d77a72986d04e3d5b5b

SHA512
f863e1b69aeb13629b1e7aa991acca1867c5ae239ad24e185a6bb3a8d482d27a1c8ff93ff7e61020342a07880511da8a8a89ce234ad3a8ec25f29f81e0d9d71e

Download Submit
C:\Users\Admin\AppData\Local\TempOVLJN.txt

Filesize
163B

MD5
1ff4c30c91199d7c6bbd6c15e820871b

SHA1
f548818aa755bdaab14cc1298ba989d7b99a54a5

SHA256
89b9e55fdd59f52629ed8d9fc7606ba937ee42e42c707697055faa06f1a096bf

SHA512
dff6aa45e6c774f429e933ad7309e4b79671a728b2ae20f5589ce7e2b57b2ebf690ad350e53dfa9933b85e590cbda9280ae763650bd42cc9277d19794f30c53e

Download Submit
C:\Users\Admin\AppData\Local\TempOWJPU.txt

Filesize
163B

MD5
f306ddc6d1ba4cf3543024f4c56a306c

SHA1
5b5484e54ea5f2292f110cc738ac1e5b4f0f5d16

SHA256
95caf3ea75adee188a8ed76a017ad4643e2b2a02361dfbd0fdaaa9e95ff9cc48

SHA512
faece726e8ec5f3c590b3e29241a3da62a3ed28497e4768611e194b2d3ab4ef91980a276150e4026c07f1fe73e63c1dec572987232fb0e4ece890378d1d5fd61

Download Submit
C:\Users\Admin\AppData\Local\TempPUGEI.txt

Filesize
163B

MD5
bd3265b33a7a2565da521c9c3a486153

SHA1
4c7164dc5142483ce424a84793f43c158053e0a4

SHA256
612043966a179f96b5ff883b465f352b6380e0cb0cece327cddd9aba34bfb6e0

SHA512
40dbcf6f63a893ccd243a58ca79df2447e7a8dec864ee394fb46b289fbf794d071ab59383e080d83918ff859bf1ae4d94bc4a27cb4d2581c94a0afa4f5988b01

Download Submit
C:\Users\Admin\AppData\Local\TempPYPEN.txt

Filesize
163B

MD5
89e522433b731c85139482d45f788ec2

SHA1
a7c7a82cc9f450613d5574eb9516b8bfb3468c7d

SHA256
b813aea977c0e97dac7254217395f1e7c8fc3496a4c024320c9ed30d6ad5ce5f

SHA512
4a8d39ee33e7d49146e2747bd2d432fd45bec1678e4c8cbd97a86bd5f27f3c71dfae1df8c94e801e8a1b14425d91e8b94965302c786e9443a1378e54835f3e52

Download Submit
C:\Users\Admin\AppData\Local\TempQALRW.txt

Filesize
163B

MD5
8631d12751e5a5d20a59a71313813475

SHA1
21f64add1a661535c22c760a9553422e3b54c24c

SHA256
c46193c87c42a37a7a15216126f842b8635e4fcdb8407809938daeab957311b1

SHA512
ea2b01287d1392a32362c3e990ffaca4e114ce266fe58b05478cfe6142a4a0f868dc40e4631617bdd07086fdfb434e09fcc7abf943758c7b5bb03c81e60460c6

Download Submit
C:\Users\Admin\AppData\Local\TempQBUUJ.txt

Filesize
163B

MD5
c872ef42f00e73a0319a155ea74d0e15

SHA1
7410c08d0e874446ecc7eff67abe22578e496d92

SHA256
356cb8a3f03f52001f593dab167201e1a906ff4a524164aff93eef9501a28f3f

SHA512
7646ff930bb06bcac5b5ba579e465a8b4f02809ec81df59655a17c03c30e81ad3c57be8573efa8cd45a3b005816775b5d78470e337ae6d5a953cdf263a4c4bbb

Download Submit
C:\Users\Admin\AppData\Local\TempQNWIO.txt

Filesize
163B

MD5
905ff30412bb187fa1ecef28ae0bd51a

SHA1
f32754369b5f260114ce2c6a3acbf88e47ea47e2

SHA256
74cba131a09bcb59bf752e1d331bb3b93a6c01e78c1555d9369139b1e01e45c4

SHA512
b6e2cf0c19c09bb0326493e846ec1d01f5ddb9e6aa9d4078c592b90fff1957c01a625a1b4c827e3d3c62e1c017d1021b570eef10414856888e83f2f85ad72f7b

Download Submit
C:\Users\Admin\AppData\Local\TempQNWIO.txt

Filesize
163B

MD5
7f33358f4f18af3b6c88cd6469e946ef

SHA1
8de7bee8ded8161011a9ebeca319dda89da2c39b

SHA256
f00adedab4b0a460060d280258e8fb5474265125c3fbe288a1c6abdba0cb7b39

SHA512
019d5daebd0e99a878785979b432c7b39dd6fae84aa8c884ae4a96a7ba765ac61406ebad8757ed3c7d13da3ecb83a01608bca4b1a7fbd56afb58d0379990dfec

Download Submit
C:\Users\Admin\AppData\Local\TempQRWDE.txt

Filesize
163B

MD5
836fe23e586a2a27bd49efd04c4d0645

SHA1
8d152e3915ff657b20eebe46d838f0367fad6027

SHA256
d34036cceb63725f50d8c9a483713375b79cf61792bba6372bb4863d6c06faf9

SHA512
c85d6b09c3b8cadb7ee1ca7e9df203bcb84fcd8f8f9380b02223d57d71de9fc141437c35e2ae857cd583ea336e7e7d502f703e1898721b25bb13dda9f37032b6

Download Submit
C:\Users\Admin\AppData\Local\TempQYBUU.txt

Filesize
163B

MD5
e2fde989efdfa9c12af7ee59baa74dfd

SHA1
496290188649323aeb029f1cf8f70cae43d00d99

SHA256
f31507d060c2098a8887e1d7b0fd0027d7c1377c0619d70c81536feb4f0344b2

SHA512
6e49925b5f00549760fdedebc04f53716c4943d0d1d0f303ef771a061767b8cda3e6226f564e8641433fac63d7cf33b598615f31c5059779093239d4351fe282

Download Submit
C:\Users\Admin\AppData\Local\TempRCVVJ.txt

Filesize
163B

MD5
4312a181e4cdda08330c6bf80067acb4

SHA1
f9f90def514dcd98d07c8a93080f0aa21a5ede05

SHA256
1ac8ea8a829ff31007b7d7c33e1f686d875f8e759c346b465c5bebb520b3d095

SHA512
310c6647c0939bd1fc546910ec36aa01602ce39220538920e8086580577088611fca4b8bce8c7ddfb35984560504b1f0618c4d028aa25a5e582967a038de9f67

Download Submit
C:\Users\Admin\AppData\Local\TempRSXEE.txt

Filesize
163B

MD5
831ee19c8a4998dc083974673c63b65d

SHA1
6d2e658901bef690e306e349c1084770192a5b8a

SHA256
e4251aa5a3db3f15f87fabdea8677ee495d86ce14b562193baf8024cee4cdf8a

SHA512
a4e9d601c04dce76d47515309e5da2bf2025fef5098776dcb6c1d011f26aca2faf1a97b51b0c9aff9bd6a1138ec4100105c6542f8d84a9a2d7c770f46d9889a0

Download Submit
C:\Users\Admin\AppData\Local\TempRVQYM.txt

Filesize
163B

MD5
cca137880022155eb1ae5e4a1e8cc46b

SHA1
98f7b54551aa6ca13ef94d577f16da0f99338dcd

SHA256
087a31df68cc4b18712e544cb459f4721173264bc87dda724de0e0a161efcb27

SHA512
3f59023dc0fcf4cded16814e91ae74308394a334ea5704a04e088381ba9735e6d1976796554124a6d8dfc5fd1c9d3cf235251cd0ecceecd3a2d76c7e4185d226

Download Submit
C:\Users\Admin\AppData\Local\TempURVQY.txt

Filesize
163B

MD5
bce408317d448a306d7ceda9e1fd9d4a

SHA1
8b8522e86e57fcae6794633e02a7f4e196c65dcb

SHA256
2e275fec48e22f48e305ee46fb0e52e2a08d0bbd93001723636eccf81435def5

SHA512
34ee429b878bca2e5c35cd53799ce4a3d73a54062d1206eed3147cbbfcace44ba50bd48ca0aaa8eee66a1a855ce26f71404228da3232ebc7c52eb6396ce13d39

Download Submit
C:\Users\Admin\AppData\Local\TempVHHFN.txt

Filesize
163B

MD5
ad82842722ffb58f85923fe72995a080

SHA1
b0196c7e43c41f945699d8086d0bdab02be7119c

SHA256
bddd1ccc5afa476901c4fb69ff910093b51ab37f436adfe4e3daa069d2b633e9

SHA512
a101e08b3809eed1713d50d162ae3d7a00c9b3e89f41de67d91f01091eafe2d7d93e0bb46ee4eb52419dcff7877b5c3ed1fbf33ae53c407c8f84e517f6b42bcc

Download Submit
C:\Users\Admin\AppData\Local\TempVQYNN.txt

Filesize
163B

MD5
3e7732895275b38dbf38c1aecd588fcd

SHA1
909d7f1715994491be5a677a8ed68468a8daba53

SHA256
f08a6fd59ddd422078cab56d0efbf450287dd9e822555696a2695db3e96bda92

SHA512
84de7832d554734aef43b2bb054f15fbeebf5dcc3e845aaa8ae1d0858b16a5bbe4396ea2bf08007e29816528259c6c0b3a08bb7a128f12a71673973b0740da1b

Download Submit
C:\Users\Admin\AppData\Local\TempWJRIC.txt

Filesize
163B

MD5
b328e54a2d8c5a212b5fafe6b961fefa

SHA1
f7c81021ea9c9ac290d3aa0e462818f9fc29d012

SHA256
ed044365f6ff75bf51238d03106750c5f9015e1da558e08b77d7457fa5bd1bba

SHA512
4e57965b6c1bf5146aa209fc2a6d6e32a1ba03212362c941d2fbf1ff040fa69aba81876a2eb51481b2d3378b32609a7a87f1b0f263d31a59899277a69cec9a3d

Download Submit
C:\Users\Admin\AppData\Local\TempWVRSS.txt

Filesize
163B

MD5
353b3d36723323cb41c5437f5f096cec

SHA1
d96a8f00b0ecc9fa95e42b47bff142b9db14ad64

SHA256
74f1ba1ce11ee69fc1316deed99ee1c859814955eef730caf3f37fe689fd4615

SHA512
cd47805cc7d05704657da30c0122382b3e0bfc5438aacd559c053f657fac9a8654e2a3b62edae8eafd85743828d9d09fae1fadd09004d929e1e0102c6775e66b

Download Submit
C:\Users\Admin\AppData\Local\TempXGGPL.txt

Filesize
163B

MD5
e59924d03f55952a317b593ad38a3504

SHA1
11766b2101e6f86cac83e0a08b0a2fe4b48fc78f

SHA256
81f3e837dc408afe508049872a93131fe28d91a4061d8ee166f43bf40791f01d

SHA512
e85ab46ce11f55dada19bcc3062d30b4d4921707088caeab872ad935a3d5ec48b30d9ba7b7513efd75cd6dc1e7f39fb24ea2c0f7fa8a50272a2b30cf4522e680

Download Submit
C:\Users\Admin\AppData\Local\TempXIACQ.txt

Filesize
163B

MD5
932ff9be9e738b27e1c050374f522d2e

SHA1
7a304031acfd22b82457d76eb4198b2019fa2f81

SHA256
0647b87fcded99b37ca42bae6138fbfa9ab6dad1e19b37f55791cdc37a6b0417

SHA512
d181008a93942db2d5b41b78ed77c69edef37a5f19a9f71504a641e07e61f83232d6cb421ddeffcff65480372ebc4d37ddb37bb6afd0eeeeb439aec9dd2dcde9

Download Submit
C:\Users\Admin\AppData\Local\TempXXMVI.txt

Filesize
163B

MD5
a9624702f92652a8857b5b1fda35b468

SHA1
dba8956c33ab63c2544c86fcada1e576d798b110

SHA256
0a307fa8706bd033fb4b08413e371b0c4a33948c34abc6dd343d0646b87b52dd

SHA512
9bf6ed6a64f1c8d621fa1e7eddfc8b8d3a14190bfa9d765365fc290635862cb575f0a956460b2161bbec874c511c68c9f108ef90b7794db11b0be38520aba216

Download Submit
C:\Users\Admin\AppData\Local\TempYVBTX.txt

Filesize
163B

MD5
c2772bee63397964fc1f25ee8bbbbca3

SHA1
48e44c0cce80ee73c63a25a3a8009b3fd528b67a

SHA256
32a4d5b5dd10dcf83cd9cf00cb85f0c7cb7da4967d6d50ce0b706bd9f2ee31af

SHA512
708b5d55de48c769733ff60926ddbfe69db79880452adb0716b6d2f86306ee1b24c9f31c677bd8d5b780e2cb1a71baa9443a28783417a2e0a9de08a40bdf6d33

Download Submit
C:\Users\Admin\AppData\Local\TempYXFGP.txt

Filesize
163B

MD5
e8efddfd2f8494a02197eda3e12cd4c7

SHA1
ef6584020f7be20afb37491d4bb4ab44fb2250b4

SHA256
b243c8894aad19b022ed6a3ac3ff295e329c2ca505fd3d234fe155b96b8e23d3

SHA512
c036f828606ff195087addd1fd126e5a10083f6fbc42b3c025e1bdae908bfbb67c9e248c3bd9275b68873cba768345f6c133010137470c0b3f4d80d0e52df486

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe

Filesize
520KB

MD5
20034ba3c82234fc7d3c59314bb2d329

SHA1
a71923c65c7136a2adab2f973bc49bf47b5d5377

SHA256
1c01a78a9d95c0c35008546bf9c8ff05aa5af37f3dde8bc190af144870399486

SHA512
d6fdba9bc379e1db91e4100b14059959f6f86d15af9e0524fd0b7804fb08e74c771814205d2ce3c25ba36bac885473ad5bba0417621394765b59f2d06b600c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe

Filesize
520KB

MD5
71e34bbe30f21921631700c2e73e37b2

SHA1
6f2dbc881a7a701cb930e6a1f641de0e324aa8fe

SHA256
fbc191cae940226cb8ef61f91635f3cf4f04cd7df53b73f7d97ad6f27db825be

SHA512
94da741c72c36d622d6123dd8c6a013e2ffd31d28a000968bc269764cb0cfb2da5af075882501c4a5dc9f4aa9f9c07462ed9de6007a38974de900ea3e9df3da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe

Filesize
520KB

MD5
3e1a9069490cd84197cbd7e236fda7af

SHA1
d30ef6d08ed566c4a02675a1fd842288919d6b7c

SHA256
a8a85806380d0e3adec62f96a605680e246108cc17c4a40c3fa085ed8c71fb80

SHA512
31b542e32526f98c45b31c483c063e8d439dbf5b48eece5d3948db915051d2868acc78590deb3cfd159a6448501c93c156929f6afe9729b0801f21fdc874e7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe

Filesize
520KB

MD5
72b77533130f1d145a8799a3656a7761

SHA1
3552147a686e866d71f3cca31ac8f07134e81023

SHA256
68efa70a2e993ac48d5c2750c476f9a0002b484e351829ebd69c061af91b8993

SHA512
cb3e34926d4cbf9d28572cc318275b55e9950d7735cfb90b741d2684e77f58e851593c8ab9cdd852095ad2e17828341de3d74517941d7cf9cc62a95ddcdc205f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe

Filesize
520KB

MD5
66b7998af662d26a53bee7bc884ab395

SHA1
4698d319f9d0a6b1c24d175b90e1aa9eee9e40ea

SHA256
b8c11803d17bfc1d330bd1a32b9dc899dfa485afb8edb093e4cd4f32f6603abe

SHA512
04b8fb0d0ed8a928b07613a2730d06b24a42838f0e3407478b49b16487abd060eac5246526fefbb4ce2feda8a92948ee87145938853987aeff8f40c5389bef9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe

Filesize
520KB

MD5
48fb2a7107ce4effa598811104c38cca

SHA1
48cfee41f57c04f1458dd8f5ce7386887497e2b3

SHA256
2873a1bb1c4dfce3949ad946ac04e1d492c3680eabef604a1bee5d560af09220

SHA512
68ac247c549549907b9ec5e86672f480846bc5f98caa111f580a82488d27e9f0b334b0b993a089b8a2f210bfa67994f44347dcadeaabac9f1939a780728a06fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe

Filesize
520KB

MD5
981eb7dc20ffab4afa2cc32682d507c8

SHA1
e102da7054cbd4cee5803df144278f9da6ee19ae

SHA256
596ce15d07d2965d2e53f381db1a38c12f887847822604730106a3f51a1a7692

SHA512
28275bab246690ff250e886f64dbd1cb53f6782fb4eabdc705283d72626bff8ac255c455c23a3a4bee13b97300c969765449b7123f390a923d2481015c5dba7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe

Filesize
520KB

MD5
a7e8b9a3803a07bc5318d460fab6ed64

SHA1
d79f308da382498f95ed440b7729bf2a890052d2

SHA256
02fc7c074a1372578854c7e425f3dcfa9203cfa7d11633b8b1b9b4657398abf4

SHA512
97809b94b75b641cdcdf1f15d5f906d7cce7fad29f46d85e7ff7bdfc584a2c15dd4e451cd9f2f6f3c74869f5bb9090fb6deb5dbbd415ab087c84ee111c598e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe

Filesize
520KB

MD5
63ef2db2e338b40303f11294b47e2757

SHA1
d921ab5809611d03407b988c1381ccbc55cae415

SHA256
a3c42ef5dd2258e9ecb4ba633d1453fd5bba4cf4b879ba71ebedb28a108e49d6

SHA512
5098c0adbdf2c9b517005043f371f1921a19c11bac9fc45b9656f40ddf89167c2ec91a242760a9218bba3a3966263a1c88fa15a645a10c4878868ab3b63222ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe

Filesize
520KB

MD5
454ca33ee779c777a630e0d8c7bdd103

SHA1
b3575a5ddc01fac0ef438c13db9800dedf496cfd

SHA256
e492adadd7d776ccd4bcc44e6b96c27a2e7269a5a391e1fa47c4a4c9e0f35edc

SHA512
4422fbfe72b3fc0cd7442885d98d2dd82ba81d6d2fc955a630d00b762499b913470c35a1e7e73374bdde4b58f2e247da78333bda79d995d389c15f8826745899

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDTCKUQLFAFUVSB\service.txt

Filesize
520KB

MD5
258dca79b24cf586c5219d96d6909b2c

SHA1
a8c1fa8fa9e30496275099e599996427d9670d9b

SHA256
8279c0773ae0e9753373360f91703fc6e38b9daba78e6664f4c3231aebab6d98

SHA512
ba337e81e093b42efe9a0f7547760d9cd2ef9b14dfad8104ba60631769befdf4c8e4e90fde729f20f0b72b7aa1dcff0bf34b9ca2ef78724607380d2587469e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIQHGRO\service.exe

Filesize
520KB

MD5
fd536fc4ff1edf0439bec17dc2174fce

SHA1
7fcbc71ecdc2a96f8ef91723c1709390b3a87e14

SHA256
a1d6e95fce7dfa0b096942558f1a3525c867cd29540d2a6b4aaecf4443e8ed47

SHA512
43d085b1014a836ca8687a59ffd230ba876ef64629cf71edf8b809e215410b0a23904acdf28fb0c1cae9e1e403d7eb39db01a5ce162aaccc1079e84b341ad5e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe

Filesize
520KB

MD5
04088b552d3454e527a8a7ce6644c964

SHA1
342cd52629149226d8d7c617b5b0f1e02ff4993e

SHA256
b915a4c05d431eddc9589a0c008e87ac7a38d5b2ef101af30db06a2147df7b60

SHA512
55ae9956671d0e0d6b1d7a636f8d9a33ab0f251dc8b06ce321c921a8ebc0c4454140a8c72e6c7a8baab8619c69b63dbd0552a9e1fa6dc79651a23bba457e292d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RTJDBISINFWNBLC\service.exe

Filesize
520KB

MD5
c0b566a72b30b7f448d101b9af1b3d0e

SHA1
1dc23648e5c9181a9cc199df15210452c2a2d5dc

SHA256
5c8cfe417ab6448906d73ebc06c889b4172f0d83fc4a2de04d2a1c28b36049f3

SHA512
f66a368f26c368e6c6b43b99f4b00f3ce126c2af09f669431a730353e97693494069f6105e21be0e68ac5a5f913de72a604d330665a64f5dbdf246372554af12

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMEKRDDQWOWKUKG\service.exe

Filesize
520KB

MD5
fce5ecbcf396351695688b4c57884673

SHA1
1c8d1e07a11063ea0f04a7426e3f316ea0696d7e

SHA256
a3e93fa985041c8f1ad9e81eea60d9182a408357f6deadf95efe6496d78e156d

SHA512
d7da3c7e8f6830381e4f9052e4fc90817c6b97211a68a98496a4d3850ac83c8bb174f3abd3234396de2b17347fd34f99b40fae3160ee38ba3ca4511adc1ea7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe

Filesize
520KB

MD5
c7221764b3663e3bf835c5192ca10e74

SHA1
f6f3eeb63212a3dfee2b34e5f844b612cba97107

SHA256
cab0057f27fb553dd388df88e0e8fffe43e382e0174ac80447469b41c5d25d09

SHA512
90780c863d0289096c19d3a1de23058712842f69cf2175b4afb5cb7f1860293408234c46021a24b82a75450e065d531fac15d2c1cdd69383bf6145f1ba606953

Download Submit
C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe

Filesize
520KB

MD5
62ef9649a9fa38958492990cf24a8927

SHA1
de86799e09b99b432c8df2fc3d8e183ceea21121

SHA256
fc4102cde28ed16f38911b55b3cb6ecbcb75547d911ccdd9f5f2df57b8c95680

SHA512
0967b0c3aa8e0e2df8c2a34f3c84ccd616199be068b9339d3855efc315920a3508fd6524d5c33547838153ad719abb5c992b9b7d69adb1ad49b22eb6bc5202ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe

Filesize
520KB

MD5
b35a6a2439208327164ef4a8e205512a

SHA1
f796da311e1415312881585f4f1b25ea3ae08124

SHA256
586b755e55ba5dfff47a535e815d031fe91aa891fc2c506816dcff115be0bfe1

SHA512
6aaaa71999976cd88dca659969aaadab484ce203b6f654942ed7e6adfcffd56e0c6a6efd61e1681bf0be5814fb041a0c5bda78f0ebfced287dc786a7f210aa8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe

Filesize
520KB

MD5
9fb66620fd478e6b4d61a7a3ff171d82

SHA1
c79be96fb9be222bc3c39aabea123f1b93a9914b

SHA256
af97df561dc6f1165ce0f106d8512293cc21847be71e31e20c41f88e15798673

SHA512
fa98a5e706fe84487038855693bdea32ee5cc40da55d7eb21634e40e0cbb33365fb8e58b5e7ce9d734358fe765bcccfc742ab94d8acc0793ece381bd2b16a28c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe

Filesize
520KB

MD5
80981dc9b6817f443f6fffe9076b72a4

SHA1
15c187b09bd239af9ad7045a344ed3c826dbe51a

SHA256
fc26353d566d331f6f45db4dd56bb690674a1150b94dfba15a27b751f1669f14

SHA512
845508253efc4fc3bc0a4f151f2377c7f6b3bbff9d7bd21e19982e5ca28159a16b2da2f6b8b9982bc929ba2dd1b0d86b77f9f3d9c5d54adf5ab3251c7c5aec6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe

Filesize
520KB

MD5
1ced7399ddc0c1e0ad24650dbd0c4ec2

SHA1
5f57f61a5a6d716ceb586995c6a09b9da3a325a4

SHA256
201f91de9865785b4f2299cea314820662781a5f3aedc65c6945144d92d01d56

SHA512
e6c39a702662d4b9d9e9d1d7253a278caddd040c36aab97a6f3226d3225b7ecf988ee1f7a8bc5ddfdef114de782d2bd6404f8b24285427e291684799e8e5bb72

Download Submit
memory/2508-1266-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2508-1267-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2508-1272-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2508-1275-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2508-1276-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2508-1277-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads