blackshades | 0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/03/2025, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe
Size

520KB
MD5

911c0729bf84aca9ff947935bdb83a5a
SHA1

b4fca71d6aa007434c181982973f5c30c0e3225d
SHA256

0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460
SHA512

2ff445adc57545af6a1a24dc584cb07442c7def38b1cd35e70f59d10539b98fcc57e2207e79726e37c2589a123fe64c69ec254257d603f65050da238f19d1dcb
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioX0:zW6ncoyqOp6IsTl/mX0

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 10 IoCs

resource	yara_rule
behavioral1/memory/2924-1002-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2924-1007-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2924-1008-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2924-1010-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2924-1011-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2924-1012-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2924-1013-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2924-1015-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2924-1016-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2924-1018-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIGJVWES\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Executes dropped EXE 40 IoCs

pid	Process
2860	service.exe
2608	service.exe
1956	service.exe
3052	service.exe
2024	service.exe
1016	service.exe
1480	service.exe
1688	service.exe
2484	service.exe
1788	service.exe
1224	service.exe
2920	service.exe
2408	service.exe
2140	service.exe
2176	service.exe
2080	service.exe
1656	service.exe
2192	service.exe
2676	service.exe
2980	service.exe
2936	service.exe
2868	service.exe
1536	service.exe
1216	service.exe
624	service.exe
1720	service.exe
2276	service.exe
2460	service.exe
2772	service.exe
2876	service.exe
1856	service.exe
2108	service.exe
2380	service.exe
1988	service.exe
2076	service.exe
1524	service.exe
2856	service.exe
2660	service.exe
2956	service.exe
2924	service.exe

Loads dropped DLL 64 IoCs

pid	Process
1908	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe
1908	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe
2860	service.exe
2860	service.exe
2608	service.exe
2608	service.exe
1956	service.exe
1956	service.exe
3052	service.exe
3052	service.exe
2024	service.exe
2024	service.exe
1016	service.exe
1016	service.exe
1480	service.exe
1480	service.exe
1688	service.exe
1688	service.exe
2484	service.exe
2484	service.exe
1788	service.exe
1788	service.exe
1224	service.exe
1224	service.exe
2920	service.exe
2920	service.exe
2408	service.exe
2408	service.exe
2140	service.exe
2140	service.exe
2176	service.exe
2176	service.exe
2080	service.exe
2080	service.exe
1656	service.exe
1656	service.exe
2192	service.exe
2192	service.exe
2676	service.exe
2676	service.exe
2980	service.exe
2980	service.exe
2936	service.exe
2936	service.exe
2868	service.exe
2868	service.exe
1536	service.exe
1536	service.exe
1216	service.exe
1216	service.exe
624	service.exe
624	service.exe
1720	service.exe
1720	service.exe
2276	service.exe
2276	service.exe
2460	service.exe
2460	service.exe
2772	service.exe
2772	service.exe
2876	service.exe
2876	service.exe
1856	service.exe
1856	service.exe

Adds Run key to start application 2 TTPs 39 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\AITUQOQGTBKBVKX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFUSISMKNCIVUHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLDVMJETNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJWWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\KJNBEAOUNDDFAHV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSXPXLWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\DAJBGUUIJECFVIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUELAAVBRMHBGW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQCKCTLHCSLMWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNDOHFIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\BYMYJIMDNTLCCEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVUWRPWSHVDLCX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\HQNHXRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\SFHCACXSGNIMJVR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRUXVYJOTABGDS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDYCQGUPNSFSUPI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJBHOXAANTLTHR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\YDNLKOBFBPVNEDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRXTJWENE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\EDOLKOBFBPVNEEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAYTRAYUJXFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\UQERCBFXWSTGMTT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRCONOKIPKANVEP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\IRNIYRDSCSTQYKR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTJUNLOEJXWIQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\URFRCBFXWSUGMTT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCONPKIPLAOVEQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLDUMIDTNNXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIGJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\BDGRTOMPESAIUYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCTLHCWMNKSELQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEYDQGUQNSFSUPI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCHOXAAOTLTHR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\WTUGMTTFYYMVIHV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMKNDIWVHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAJXTRBWICWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERWOWKVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\WTSWJANJHXVMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTJCBIRHNEVMBLB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\BCWTOBXIYDIXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSRTFJOCNVN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMQDHDBRXPGGIDA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCVTCVLBHPGFQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\HVCLYUSDXKDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOGMTFFSYQYMWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\OKLWTRVQYMNAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTIHIECJEUHPJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\KTPKTFUEUVSBMTX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NJXVLVPNQBGLYKS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\IYWFFQXNLPKSGHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCBCXDTOCJD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAIRYJFAQJKTXYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\TTHIDBEUHOJOKWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JWSAVYXLPUBCIAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\TLAURMVGWBGVWTC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWNXQPRDHMAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\OLLWTRVQYMNAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIHIECJEUIPJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWSGTECHYUVINUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPPQLJQMBPWG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPBJBTKHCRLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMDNGFHXUUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ILXBYGUTFNEWOKF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGGHCAHDYTGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\UYVJVGFJWYAKQXX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSRTOMTOESAI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\CAEGSTOMPESAJAU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLCUMIDWMNKTFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUUHJECFUIPKOLX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBWYMQVCDAIB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\OBEPRMKNCQXGSWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIARJFAUYKLIQCJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWIGKFNBYCVTCCV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JBRAISOJEDSTQAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\NRFIECSYRHHJEAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LOEWUDXMCIQHGRO\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1056	reg.exe
1224	reg.exe
2356	reg.exe
1852	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2924	service.exe
Token: SeCreateTokenPrivilege	2924	service.exe
Token: SeAssignPrimaryTokenPrivilege	2924	service.exe
Token: SeLockMemoryPrivilege	2924	service.exe
Token: SeIncreaseQuotaPrivilege	2924	service.exe
Token: SeMachineAccountPrivilege	2924	service.exe
Token: SeTcbPrivilege	2924	service.exe
Token: SeSecurityPrivilege	2924	service.exe
Token: SeTakeOwnershipPrivilege	2924	service.exe
Token: SeLoadDriverPrivilege	2924	service.exe
Token: SeSystemProfilePrivilege	2924	service.exe
Token: SeSystemtimePrivilege	2924	service.exe
Token: SeProfSingleProcessPrivilege	2924	service.exe
Token: SeIncBasePriorityPrivilege	2924	service.exe
Token: SeCreatePagefilePrivilege	2924	service.exe
Token: SeCreatePermanentPrivilege	2924	service.exe
Token: SeBackupPrivilege	2924	service.exe
Token: SeRestorePrivilege	2924	service.exe
Token: SeShutdownPrivilege	2924	service.exe
Token: SeDebugPrivilege	2924	service.exe
Token: SeAuditPrivilege	2924	service.exe
Token: SeSystemEnvironmentPrivilege	2924	service.exe
Token: SeChangeNotifyPrivilege	2924	service.exe
Token: SeRemoteShutdownPrivilege	2924	service.exe
Token: SeUndockPrivilege	2924	service.exe
Token: SeSyncAgentPrivilege	2924	service.exe
Token: SeEnableDelegationPrivilege	2924	service.exe
Token: SeManageVolumePrivilege	2924	service.exe
Token: SeImpersonatePrivilege	2924	service.exe
Token: SeCreateGlobalPrivilege	2924	service.exe
Token: 31	2924	service.exe
Token: 32	2924	service.exe
Token: 33	2924	service.exe
Token: 34	2924	service.exe
Token: 35	2924	service.exe

Suspicious use of SetWindowsHookEx 43 IoCs

pid	Process
1908	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe
2860	service.exe
2608	service.exe
1956	service.exe
3052	service.exe
2024	service.exe
1016	service.exe
1480	service.exe
1688	service.exe
2484	service.exe
1788	service.exe
1224	service.exe
2920	service.exe
2408	service.exe
2140	service.exe
2176	service.exe
2080	service.exe
1656	service.exe
2192	service.exe
2676	service.exe
2980	service.exe
2936	service.exe
2868	service.exe
1536	service.exe
1216	service.exe
624	service.exe
1720	service.exe
2276	service.exe
2460	service.exe
2772	service.exe
2876	service.exe
1856	service.exe
2108	service.exe
2380	service.exe
1988	service.exe
2076	service.exe
1524	service.exe
2856	service.exe
2660	service.exe
2956	service.exe
2924	service.exe
2924	service.exe
2924	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2460	1908	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe	30
PID 1908 wrote to memory of 2460	1908	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe	30
PID 1908 wrote to memory of 2460	1908	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe	30
PID 1908 wrote to memory of 2460	1908	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe	30
PID 2460 wrote to memory of 2324	2460	cmd.exe	32
PID 2460 wrote to memory of 2324	2460	cmd.exe	32
PID 2460 wrote to memory of 2324	2460	cmd.exe	32
PID 2460 wrote to memory of 2324	2460	cmd.exe	32
PID 1908 wrote to memory of 2860	1908	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe	33
PID 1908 wrote to memory of 2860	1908	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe	33
PID 1908 wrote to memory of 2860	1908	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe	33
PID 1908 wrote to memory of 2860	1908	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe	33
PID 2860 wrote to memory of 2800	2860	service.exe	34
PID 2860 wrote to memory of 2800	2860	service.exe	34
PID 2860 wrote to memory of 2800	2860	service.exe	34
PID 2860 wrote to memory of 2800	2860	service.exe	34
PID 2800 wrote to memory of 2828	2800	cmd.exe	36
PID 2800 wrote to memory of 2828	2800	cmd.exe	36
PID 2800 wrote to memory of 2828	2800	cmd.exe	36
PID 2800 wrote to memory of 2828	2800	cmd.exe	36
PID 2860 wrote to memory of 2608	2860	service.exe	37
PID 2860 wrote to memory of 2608	2860	service.exe	37
PID 2860 wrote to memory of 2608	2860	service.exe	37
PID 2860 wrote to memory of 2608	2860	service.exe	37
PID 2608 wrote to memory of 664	2608	service.exe	38
PID 2608 wrote to memory of 664	2608	service.exe	38
PID 2608 wrote to memory of 664	2608	service.exe	38
PID 2608 wrote to memory of 664	2608	service.exe	38
PID 664 wrote to memory of 632	664	cmd.exe	40
PID 664 wrote to memory of 632	664	cmd.exe	40
PID 664 wrote to memory of 632	664	cmd.exe	40
PID 664 wrote to memory of 632	664	cmd.exe	40
PID 2608 wrote to memory of 1956	2608	service.exe	41
PID 2608 wrote to memory of 1956	2608	service.exe	41
PID 2608 wrote to memory of 1956	2608	service.exe	41
PID 2608 wrote to memory of 1956	2608	service.exe	41
PID 1956 wrote to memory of 3000	1956	service.exe	42
PID 1956 wrote to memory of 3000	1956	service.exe	42
PID 1956 wrote to memory of 3000	1956	service.exe	42
PID 1956 wrote to memory of 3000	1956	service.exe	42
PID 3000 wrote to memory of 2960	3000	cmd.exe	44
PID 3000 wrote to memory of 2960	3000	cmd.exe	44
PID 3000 wrote to memory of 2960	3000	cmd.exe	44
PID 3000 wrote to memory of 2960	3000	cmd.exe	44
PID 1956 wrote to memory of 3052	1956	service.exe	45
PID 1956 wrote to memory of 3052	1956	service.exe	45
PID 1956 wrote to memory of 3052	1956	service.exe	45
PID 1956 wrote to memory of 3052	1956	service.exe	45
PID 3052 wrote to memory of 1680	3052	service.exe	46
PID 3052 wrote to memory of 1680	3052	service.exe	46
PID 3052 wrote to memory of 1680	3052	service.exe	46
PID 3052 wrote to memory of 1680	3052	service.exe	46
PID 1680 wrote to memory of 2056	1680	cmd.exe	48
PID 1680 wrote to memory of 2056	1680	cmd.exe	48
PID 1680 wrote to memory of 2056	1680	cmd.exe	48
PID 1680 wrote to memory of 2056	1680	cmd.exe	48
PID 3052 wrote to memory of 2024	3052	service.exe	49
PID 3052 wrote to memory of 2024	3052	service.exe	49
PID 3052 wrote to memory of 2024	3052	service.exe	49
PID 3052 wrote to memory of 2024	3052	service.exe	49
PID 2024 wrote to memory of 2400	2024	service.exe	50
PID 2024 wrote to memory of 2400	2024	service.exe	50
PID 2024 wrote to memory of 2400	2024	service.exe	50
PID 2024 wrote to memory of 2400	2024	service.exe	50

C:\Users\Admin\AppData\Local\Temp\0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe
"C:\Users\Admin\AppData\Local\Temp\0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempVGFJX.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRTOMPESAIUYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELQ\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2324
- C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELQ\service.exe
  "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELQ\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLWTRVQYMNAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHIECJEUIPJ\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:2828
- - C:\Users\Admin\AppData\Local\Temp\UNMUIHIECJEUIPJ\service.exe
    "C:\Users\Admin\AppData\Local\Temp\UNMUIHIECJEUIPJ\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempIHLYC.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:664
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AITUQOQGTBKBVKX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVUHP\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:632
  - - C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVUHP\service.exe
      "C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVUHP\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKPMXU.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DAJBGUUIJECFVIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUELAAVBRMHBGW\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:2960
    - - C:\Users\Admin\AppData\Local\Temp\MEUELAAVBRMHBGW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MEUELAAVBRMHBGW\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPTOWK.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SFHCACXSGNIMJVR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2056
      - C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLNWSF.bat" "
        7⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEYDQGUQNSFSUPI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCHOXAAOTLTHR\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\XPJCHOXAAOTLTHR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCHOXAAOTLTHR\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCYYSL.bat" "
        8⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTUGMTTFYYMVIHV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
        9⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGTECHYUVINUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTEDHY.bat" "
        10⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OBEPRMKNCQXGSWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVOAPY.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ILXBYGUTFNEWOKF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMPQVC.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTRBWICWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCFGQL.bat" "
        13⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTSWJANJHXVMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJCBIRHNEVMBLB\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\QTJCBIRHNEVMBLB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTJCBIRHNEVMBLB\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWRRGP.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKLWTRVQYMNAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKSELP.bat" "
        15⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCTLHCSLMWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQWNKO.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BCWTOBXIYDIXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOCNVN\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOCNVN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOCNVN\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIBCQM.bat" "
        17⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UYVJVGFJWYAKQXX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLNWSF.bat" "
        18⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IDYCQGUPNSFSUPI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJWHFK.bat" "
        19⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEGSTOMPESAJAU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLCUMIDWMNKTFLQ\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\CLCUMIDWMNKTFLQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLCUMIDWMNKTFLQ\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJXFTS.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMQDHDBRXPGGIDA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBHPGFQ\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBHPGFQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBHPGFQ\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTBPOA.bat" "
        21⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYMYJIMDNTLCCEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
        22⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBTKHCRLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAHVDR.bat" "
        23⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YDNLKOBFBPVNEDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJHLGO.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KTPKTFUEUVSBMTX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQRXDE.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HVCLYUSDXKDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAHHQM.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IYWFFQXNLPKSGHY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLYGPG.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWIGKFNBYCVTCCV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTQAL\service.exe" /f
        28⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTQAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTQAL\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
        28⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDVMJETNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTRVQY.bat" "
        29⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GUUHJECFUIPKOLX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe" /f
        30⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBIVDR.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDOLKOBFBPVNEEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYUJXFN\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYUJXFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYUJXFN\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEXXMV.bat" "
        31⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UQERCBFXWSTGMTT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IRNIYRDSCSTQYKR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe" /f
        33⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKIQCI.bat" "
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIRYJFAQJKTXYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f
        34⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLGUTG.bat" "
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NRFIECSYRHHJEAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIQHGRO\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIQHGRO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIQHGRO\service.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQVQXM.bat" "
        35⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTHIDBEUHOJOKWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe" /f
        36⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCQPCK.bat" "
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KJNBEAOUNDDFAHV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f
        37⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOULIM.bat" "
        37⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TLAURMVGWBGVWTC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMAL\service.exe" /f
        38⤵
        Adds Run key to start application
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMAL\service.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEYXMV.bat" "
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "URFRCBFXWSUGMTT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHEID.bat" "
        39⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HQNHXRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe" /f
        40⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTFMRC.bat" "
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDUMIDTNNXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe" /f
        41⤵
        Adds Run key to start application
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        42⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        43⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe:*:Enabled:Windows Messanger" /f
        42⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe:*:Enabled:Windows Messanger" /f
        43⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        43⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        42⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        43⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAHHQM.bat

Filesize
163B

MD5
764c6f83e516d4ca1d3b7408a50f18db

SHA1
be1d7c04d9861a6e80d770bdabac26e3250094fb

SHA256
f527d9d42fc7734e28a29d59910815e1550b0c1cbc4efaabcc15b0580be94881

SHA512
d990134e94fb1915536f64dcc10fc5d52eb2720cf337563583b1d07750272c3c71eeb029c382baf0225c57995d35626ae39c3611b57803ec78466fdc8ffd424b

Download Submit
C:\Users\Admin\AppData\Local\TempAHVDR.bat

Filesize
163B

MD5
67268169a450d00a136aeb8064928cf6

SHA1
2ff1c026bb20b5f389c3be97e1d371ffa9fda84c

SHA256
fa60dc9662fd2feb711d924c44f9a5b09b975c5d5694037ffb38aaeaf25555ae

SHA512
43ede016de0bad1a5cf6c85bee13503e7ba215de4e3e9e38a0b2015b0a318984a460500da0946727ecc94d188ac7365f2a120ba15c1d62e986ae4ea8718c3466

Download Submit
C:\Users\Admin\AppData\Local\TempBIVDR.bat

Filesize
163B

MD5
62ab06b743e3009a3e9486398c82a4cc

SHA1
fb1b40a13d2ad6e84c1ce92829967c7db549799e

SHA256
29bc96bc92cc961b1630c03f46de803a9672c365ae76054e9d99db9a100ea733

SHA512
5fb87704d3dde06601a90437c38bf061627739c305a4bf5b33db52d7d054326e615dc945dd1f1d2f1e57113f075d84e4b005db6a2e3af35d6d2c440575deb103

Download Submit
C:\Users\Admin\AppData\Local\TempCFGQL.bat

Filesize
163B

MD5
5a41c258f80926846006008f871e8f29

SHA1
03e9a1dc7b80f16b98b6c6838d12567860ac80ba

SHA256
54f7acc25342794599972c0a6102a7bc8fc952cdc004e8b33d0d7c342bb32ca8

SHA512
16e9d3bee557ebb878fa385e55167618d3132027dc807e932bf64b7bc6fde87b0cac02abd6a1e9fd54d90f51665703ad5a8fdc6b9dba81cd757e60e831295038

Download Submit
C:\Users\Admin\AppData\Local\TempCQPCK.bat

Filesize
163B

MD5
1e7b78afb8e79228c4cffd0d2e2f042c

SHA1
41aee80683eaf374e207cf48a36bc966fded2c8c

SHA256
0475fe7e2f2ee35b573b3ea3487d391fdb031e1168de2093efb7c9d22ad0dee8

SHA512
9acf859eabdf9842ce168fe54b47d032fd5947b0850f6ec71fa8d7e33bfcf0ef101dc6735cefcbf38b8345849db5c47644eac039d849a4534bc4d9fed888577f

Download Submit
C:\Users\Admin\AppData\Local\TempCYYSL.bat

Filesize
163B

MD5
a32c2f2728c45177238dab4293fe4eba

SHA1
b4a6df409b077ed742cd8775691192b1a07bc181

SHA256
4ed1c9969a7580cb62a59b0f08fbe7664faac68dc114f762fc45de61ee72704d

SHA512
c83ff57fcd60b69885068147a9aab937dd89b50de4c5cd228d9e4c67f668c1e8e77acc5c220c24f98c81201118e0ab063fa26f3092467ea43ed2022ed9ea695d

Download Submit
C:\Users\Admin\AppData\Local\TempEXXMV.bat

Filesize
163B

MD5
9e866f8181a3cf3103041c39bf893cc8

SHA1
10f33e54f4ac23a78b5d61623cc467a171ac9c88

SHA256
b9b06cc28bb1f0e13aaa9a5b971c77809e1ad2e509eb1d6a9710f6fd3c16ffdb

SHA512
e3199afdf57382979ffc830bcf58a65c14f1cccc6e255d763c8b2569af3bf7173105defd84c0a46a26f9bf0085b547a9882ea46f4724c55eb52bff376b05f7ac

Download Submit
C:\Users\Admin\AppData\Local\TempEYXMV.bat

Filesize
163B

MD5
a893db9fccaba8bcc6b41c2d80d17bf7

SHA1
d343a8f254241d4e485033bcbfea8e59adbed6ad

SHA256
3ba72ed8749d2944c33d5cd882c692e47371ae0f3806f7f4912ca67244806460

SHA512
152a9ec9f5e7fe567d86489c83d53937126d593ffd7e64f2deb090eed647171d6845ff69b0d17d7418371874b08df53ce1399b9a161ce4a92ef4c54f691af76c

Download Submit
C:\Users\Admin\AppData\Local\TempGAOXK.bat

Filesize
163B

MD5
c50c7621112fa1afb44904390e54c3c7

SHA1
7b090097af1e5ac92d212cbcf0b687ee773dee78

SHA256
5b26f953f04bf432172e566629398021a7a5e191ccb4d8d745c5611eea898737

SHA512
c73f09f0a6b1e33b9f216839fa1679f9bb800325667483337b127197835d109a161cf4260ad2fef587b39a6783bd4238a607ccdeac848ddb82b6d744d6caf81a

Download Submit
C:\Users\Admin\AppData\Local\TempIBCQM.bat

Filesize
163B

MD5
4ee0ac9fd9906f6947aa07400a0c6eb0

SHA1
889019ae0da9a4ec8a4c26f350266d5fe66d87d8

SHA256
f984d52f2337b3ac2be55c808a5f8745e0b284db69e3c083240622ae1066908d

SHA512
cd0e092b24c306e789073cc14985587631ef1864128c403751515356f2e4ccf2a246aa7f0b119e77f93bf9b9637755b661dbf82815c41595e8256dd7f0c8594f

Download Submit
C:\Users\Admin\AppData\Local\TempIHLYC.bat

Filesize
163B

MD5
d535f11389e6265f593ab53dc1f6ab80

SHA1
347839fa130642c0f260ce4922bb93d50be4feb6

SHA256
57a5fcec3dbf5828f701386c51287e53fbfda60403fac41a89be4958f325532b

SHA512
809f79a726548cf8234be8065e734758f455b595635e12d59ba5071312c26e9c59fc3b61d323088b205d29f49e58c1f94954f33f4b18c469296c4da18c811545

Download Submit
C:\Users\Admin\AppData\Local\TempJHLGO.bat

Filesize
163B

MD5
c4600ae7e718e0c827026f30301ea125

SHA1
b0e45aec09880a545451df910c958ef467b4107c

SHA256
ed951583454f87b333c984321f3d5cbf69bfdb881f1baf555e66f8ca42e1b6f4

SHA512
fe942ce0882b3fef550f529179a648782b55ff0279cf91fcb5ded835a017ea59f1f3d952535587a3cb9fd6dc68bcf7c4bdbf560f210d83370a4ef6a769178271

Download Submit
C:\Users\Admin\AppData\Local\TempJWHFK.bat

Filesize
163B

MD5
81db82d4512873ecf6d57e9fab632fd0

SHA1
d5a5e9564cfbcde0c0911488d8d72ec661470ffb

SHA256
fcb896ce3b46bbdc43f8e17a68329e875ae3616bb801ca7be743587b7cd95ae9

SHA512
229cfe278be3c49604328051ebbfe50d7c927be73770f09db51eb809c271cc53ad14910622a3bab3dfb7904405913ca7cfe1402c098404f65ddb8c2bbe286a75

Download Submit
C:\Users\Admin\AppData\Local\TempJXFTS.bat

Filesize
163B

MD5
14bc128c2822df50a76a7d2bfc5a3b62

SHA1
3921b0142ff18f4f7dc109e8231fa637e5e0f99b

SHA256
7e2d6ff47243ac2a9a573824a90ed9e33f1cf74a6cfc5073a2dea040016cd7dd

SHA512
97f26e1ba5a955d4464385da622070436c261ab97436a82000261ebd2bf9bf4f8d9d4cad1d76a54da3be487e6c0e4e86b8ccade9c93e1782189bd7703a8775d0

Download Submit
C:\Users\Admin\AppData\Local\TempKIQCI.bat

Filesize
163B

MD5
3bf0ca3ba9863d35e7db3e7b2cd31b7a

SHA1
ea10955b351348e554138f493d3a22c60c44c2cf

SHA256
c4c93341d1268d21ddea7d6132776d3ae6d2cbe38c232579852cd2138a68a764

SHA512
d062c276cf111712a5cdc8a6ea648b1bf4d2e2ce312be4235dec436112234f61e43693e9dbb8850e35a050b9fd978517c1ec2bc6e7b8fcb4ad03f490d50355fb

Download Submit
C:\Users\Admin\AppData\Local\TempKPMXU.bat

Filesize
163B

MD5
5e9c1e5ef9fd339dfd78681adecbcf50

SHA1
14ef59b625db1d665cac95627e219a3f3c6bd03f

SHA256
910389ca4df72d0012e07a84327cd0342ac9d05d04ab95770cb0c005451fa92c

SHA512
b2c50dda0cfa6d0c32bc153f3103211f7e7c105dd90d68926aac5fc2e5f8ea35bfa68942e4fb80b38ad6b5a51c5442641b6d40c3909b49a35ccd5e75b2e7a235

Download Submit
C:\Users\Admin\AppData\Local\TempKSELP.bat

Filesize
163B

MD5
0224368807da08cc8e3924fa4a736fe1

SHA1
e88bccc94c06bb012862d45b9716e8fcb622cf4a

SHA256
4d0593fbc22c7680d6c0f1828cc34a7d414de607e6b435284b3590a7bf05c233

SHA512
0ad9026df1ad660bbfada55e06181c1039c7c4f2b89e5b9e984c543e8ed0142a06e5b6b10aac64a2a9d34934ca6d5b3a469863e9901683037aeb0d18e43af344

Download Submit
C:\Users\Admin\AppData\Local\TempLGUTG.bat

Filesize
163B

MD5
7f1673b1048549aa98809f3006551b9b

SHA1
eb830f08514f8d5977b20d50d1796eae55b68044

SHA256
88185dac7a594251fece5e5f5850654f8422732eaed33a5a424b2c7500fcdcbe

SHA512
cecfc1417aab714f9bf8abdc90687a39aa7071319aa01aaa9b7b952b68a1fa4effe7f85599c91513b63072b2ad468e5a6d8e911c1ea2e5cb16b4fc8c8ea92286

Download Submit
C:\Users\Admin\AppData\Local\TempLNWSF.bat

Filesize
163B

MD5
e14077320dc6fd79041e1f2f5c53daa0

SHA1
9489ceb4b9d6d491d9c6bf1a310ff5172a21c368

SHA256
32817daded980b0f45aac82c119f2819e6ce8edeff2b9b5a6a3c6733cf81c254

SHA512
18ccf852fb3d3aa17a812a198521cdaa408a2440912773ad88e54fd895e79f1f2187ca75f1e649c01fa03de6194318f8e690ff4fc5003470eede6d907a94402a

Download Submit
C:\Users\Admin\AppData\Local\TempLNWSF.bat

Filesize
163B

MD5
0b96c7730be3ebd96428e696a67c665a

SHA1
caca8cbf0fcdd38c32284f7ebbce57c98948a1d4

SHA256
ed8b155d48f231a2843ff2a74996d5e5366e27083941fe642124286472812125

SHA512
b3b99e6ab9c9123869b7edcfe3dc8ff830111ca79f4d9e1a52454c78c1b158f3f9a76f180c7a0b8b8112db8bc1e58b4ba6d335cc9fbcf1977ba7b6d6e5622f03

Download Submit
C:\Users\Admin\AppData\Local\TempLYGPG.bat

Filesize
163B

MD5
e6d1b7b11d36abb427256f7c3f9cb74a

SHA1
52b9959c5beb82f2154ab147007a7578c2db3925

SHA256
3bfa79d2034b53889392b86ef25f15da7865aa9da24e0329cb6214e2eb410d99

SHA512
0957d8751565f724b4487fca6899599607c140d7d68a120d03303e4c021d49d86b17c83b3e1b03d439f8a8bda95a3a90dcd5703133bbb5b5e6eeab83ebcf0468

Download Submit
C:\Users\Admin\AppData\Local\TempMJSEK.bat

Filesize
163B

MD5
28e6280656f4432f6c5cf2f7d1efd4e5

SHA1
e9d7fe148d5eb7b565137843359fb0feef7fe28d

SHA256
df6d7e81b8746e9ef08d113859c81bd6554252f7842c8952e529c272b52aca6e

SHA512
ac26c666b19df427db6fc0c858ab698dd3e2ef50118e43134ebd4785614900b814a508970effcdfd90f850328bf3925c2cfafda37e01cee2dce0e624908e296f

Download Submit
C:\Users\Admin\AppData\Local\TempMPQVC.bat

Filesize
163B

MD5
4f3baa386eaf2ce33e9f5f85a0351b9b

SHA1
a6cb786c42bbb983a55782475422b2369a2a7245

SHA256
d0a75d00669580d10f993c51bf1bf26d4d5e5f40cf2328cf521876485061864e

SHA512
76ef94f360cba4f500276fa6bf0f52ebc53964cbc729356a0f5b851e5bfbb1cd9b507aaef64eb849b9be681eea3d8450891fc26ced85fbb8b8e8c50077181ebb

Download Submit
C:\Users\Admin\AppData\Local\TempOULIM.bat

Filesize
163B

MD5
9713655dbe150150885b6d437e3f63bc

SHA1
b189ae1cbeae56e11906f3a0a2797e70fbff0e15

SHA256
05bea3d8e220f3a8c6ef1edd359ece593d99d945cd938145a5c7be8f8459a3b5

SHA512
bd25b1a0323f30b16a5311a8f960063b63357a975211996812e3892083bae24784dbf5ad4921934b60e483170eeded25780e299ea6112a9be5443d8160340125

Download Submit
C:\Users\Admin\AppData\Local\TempPTOWK.bat

Filesize
163B

MD5
ae217bd118b2bf0e33b00aedcafda0ef

SHA1
76420a478f1e8863d95fa42c8c8f27fa2c2ab01d

SHA256
5f5b2de3387bbe3366b269c054e70cb50b5b5d67b76e98d3b0bdda00339b9d79

SHA512
5679cef428b739d99ddb6cc4f0ed269c98b023cd9dcfb269fba4785abe4bfe0edcdea0444bbbcb1c0f63aa2d3a841ebe12e1044fcd0452ac69d337096da98fb2

Download Submit
C:\Users\Admin\AppData\Local\TempQRXDE.bat

Filesize
163B

MD5
7b43fe6a57e38eb1a2dd219e601a2b37

SHA1
8b1ada3619e607e4b27eadad885003d5472b130f

SHA256
c562585d130a3b127071a3beed6dae0e5fbe8a66dc85e8c286d99e68c6e9b00f

SHA512
7e0988667732eb8717162996cb3fcd85a9a80ed5a1c473fadf7f0f9db6761264893cbc1a96d8828fb27c74588b5108b0dd8308685a06b85c3602220cf743e162

Download Submit
C:\Users\Admin\AppData\Local\TempQVQXM.bat

Filesize
163B

MD5
c77c45252711b8c57a85bd15dd837d11

SHA1
4f2bbc1a53a9f029a96036987f6921cf1afcedc8

SHA256
27e6d61132f14fde7f4cb0b6abadf9db1fc94ee3cd8a70e4f93c62b1fed520a2

SHA512
6304e16d425b616db4bd39289b6e7ab5a912df5e801908e64f6e02b918a9ada626c80b509b647395d3018f7cba138529b0f2513b93bea36eed6b5b7a9dd23b20

Download Submit
C:\Users\Admin\AppData\Local\TempQWNKO.bat

Filesize
163B

MD5
c9fb5a391d519d8f0e3a536529c30fa3

SHA1
59d9c1026a77152610f3574f16be9ab8e4167455

SHA256
778528332f0ffdeab469b2cf94bc3615f68b8c3a4511582e2c9e83353afd67b4

SHA512
d045b82cd3da2af83a0cbcbed8772a13a223611760fd177844e1b9a7a17f40cd8e815f4b8a02ec293ea44aabd67edf16751b529d40812620849fdba77e642b1f

Download Submit
C:\Users\Admin\AppData\Local\TempTBPOA.bat

Filesize
163B

MD5
680e2e9cc13cbe1b58ee8b3fd71964c6

SHA1
0ffe1b8f9425517ea5ef01e2d12bbae60b37ce43

SHA256
bb4aa12fcf304f4ea13c9a7e9a5d9ca7943075065d4cb8166f5b8b513cb9e50a

SHA512
868c3e3b264d0c6888f01a7ca811f84391fe9ad67c4393b15d87769b9f216830dd6c1c24c8bef9413d10918e5e880c53660f26504644d7affbb2e7fcdc7ae492

Download Submit
C:\Users\Admin\AppData\Local\TempTEDHY.bat

Filesize
163B

MD5
f7d9919c9a11191de47a2ab6e2873632

SHA1
d5291a3605a0fae819b72430449799b19ff1a10a

SHA256
d7f3b80e6e5eecbae7611d607e92d2cb458c9bf1dc5d7cd2dfc219ef25972b9a

SHA512
48234e699f3484510a294ae20e6c6f7bb0e1b7c489f104d33055cdc00adfc8eadf89e6e637badc2a75f765a69d35b6deb4daf3dda0e700f6dc7dc2e8a49ddaf2

Download Submit
C:\Users\Admin\AppData\Local\TempTFMRC.bat

Filesize
163B

MD5
7b2dc6e81e9d4ee1b397576c8a5bab09

SHA1
0e7cb6bd412211c39ecddf631e4d97b4bef4aee9

SHA256
75e8fdab0df29fb80679cdd3506e947933b3e088d89ccaebedf169d64e693c50

SHA512
4d0bb20f49e0728301715d6d8d79669b57ec51becac3716326f2fd4d664c74287a93daefca78db1c1edd1ecb9090058d0d2f363f5e11b66e023c0b9983544018

Download Submit
C:\Users\Admin\AppData\Local\TempTRVQY.bat

Filesize
163B

MD5
f7c923a843e0d95ebe69f776eb230133

SHA1
44a53b27a56e0857c377fc5600c86a57fd377503

SHA256
aa8fe656b91eade8b15c0617bc0dbbe492a24bb550cc4630b8f6c230ad2996a4

SHA512
b4a1ed013bc2a296f14280e5b1450b699d6a4303e1e346d25effefea96d5bd3048c455192e8cdf0983549556550b0e5895dbc82dfd4f8b3bc520d081e3507895

Download Submit
C:\Users\Admin\AppData\Local\TempUGMRD.bat

Filesize
163B

MD5
f34cd5e87bbb760d600fa34f88fa9a51

SHA1
9762c7a34665b41b7c98c94e2803e41bd329bf53

SHA256
39f7955a15ac56d542f5399fb491d0321674c80ea1bd2b9dce0899ec2ee3d950

SHA512
40d41a363a0f615062942cbfbdf253c284c6a072d776452e4206c5460c47d8fb02dfb9741de9d46ab5924855682e693ba9c2dc8d9aba6ae54be0c90f99ef4b97

Download Submit
C:\Users\Admin\AppData\Local\TempVGFJX.bat

Filesize
163B

MD5
3fc18e073107ff6e274c754eb35843c6

SHA1
82918a069a2f830a67a1ad45b309d08648ed9bf3

SHA256
d40713b9e4d51b9fe44e985c3b3f7d84a13f6ca0a5e5fec85d5565202dcb813f

SHA512
9fc17c4e649f2d53edc5b7137379b55b0dd0d034f4e94f3e7c42fc3e3c9624b643e2ed69684adec4b09c6e5f8c6d6fd4f03a79d9bd37c33b64e46c09e67c161b

Download Submit
C:\Users\Admin\AppData\Local\TempVHEID.bat

Filesize
163B

MD5
7c8ee1053c012dbfde08afdd92dd76f6

SHA1
e9c8b515c6e21010cae30a9ad35b081331af0df6

SHA256
51df4901f14127f152809c3dd444d41d0a623ba75c6cee31f4d23a2d83ddd38f

SHA512
78b3bc6481ce26cbae09f035084d5e96b4cfa6750e32f4cea42458375ade6db79816ecaab345a334f806a746d2e934e38519b4a79d1eee61820aa4a461173ee8

Download Submit
C:\Users\Admin\AppData\Local\TempVHFJE.bat

Filesize
163B

MD5
6261b3927493f81b9cf5a4227679e5fd

SHA1
f08f673a776dd52bd64d1ff11b72fc6235293509

SHA256
f9f770d828bd8fbeda26c96b2c49b26036d19f920c0e0573c06d927da57f5d3c

SHA512
5b19fc117de6ea9cc6695c4be8e0d87c8e9689f8307a7367bf4f52f8dc591c371913784379314994fc2faf49640c30fe7a30de31563126941ce0a297f9d72686

Download Submit
C:\Users\Admin\AppData\Local\TempVOAPY.bat

Filesize
163B

MD5
b41dd2c215782af321f6bc04a9f986f7

SHA1
b8ce7b321234108923bafa66bf37bcf0b90bf309

SHA256
cbc5d4f810516022281f85f1d14ff67896f8321987862a1a4d97514f77265e28

SHA512
33da9a33bc0fac0f02245c86212909215db9850d5762e39437f325999f4815528baf190836f8a630bde14b9c1848679d6e5de95bd6da595b53e63f5b301a406a

Download Submit
C:\Users\Admin\AppData\Local\TempWRRGP.bat

Filesize
163B

MD5
b87c95e66bfa0468b23182d8e7da564c

SHA1
46a1289d495aa22a197a059eef1fd730ce95ff01

SHA256
42bed674dfa1861d0e52fd01cbef9c9091eeb8242642e0febf5c01012b48c261

SHA512
07e3deaee31c0f0c4e2639c105adeb1f7362a80bdae026f00f687f8fce71229a502075e87479d787aa70ba23167915ed18f3f878668c64f30afe6c6d5cb19b32

Download Submit
C:\Users\Admin\AppData\Local\TempWSRGP.bat

Filesize
163B

MD5
c797e1aa0865b7a209c4892f7f6848ce

SHA1
76d4b8baa9f8d2b0f2849e92b359b52283ac6789

SHA256
273d85602e2da16c0561a2e73eec190c29049ffbcbe8c1d9ecea5755a4917117

SHA512
ca5818c1e1c905f27fce8054a2515727ca1fc3449c2a4122837263005ab85788691a14b4ded3d9c394674799e20b9ca0d751a48afb7b30dc13cc0cceefc05cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELQ\service.exe

Filesize
520KB

MD5
5f0768fdc066024ecc8d8c902c5ae03a

SHA1
499e52e8bc7ff9c46bd86063a832afb4d56f88b1

SHA256
de7547927b7e65228772f1532fc84bc856d1d5848937b510474cff3751cf3855

SHA512
cb32ba5418899434b74fcd64159a3b3a4932301b3c13ae54a1d8ba3b103955d19ff0ef78153e647fdc7449b59009d4e48654d478ee3398ecf183da092d59c81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe

Filesize
520KB

MD5
5fff987031b178b7c1e1d3f767d984f6

SHA1
a1bcf11f61fe8a5e1b802a6119efff4e60c19ce3

SHA256
843037e7c067b03bbe986c26705a417d76bdfc2bcb262bf1b23492e5f27bf3d1

SHA512
e6deae514d0201471b94b53157ae8afd6c2077a8edda64f549601305d3a71cf2165078bbafe6298926c25c5d254e4102cff89f04709e4385c29ccfab4cbc28b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVUHP\service.exe

Filesize
520KB

MD5
210d5565c655a84c18744da37d4da3df

SHA1
b163438e74494749dd5bb50c4a54556b772ee674

SHA256
932f90adf56a0b6956c2630615684db63fad31257b4abebc0aac1eaae2f0e6f0

SHA512
b35e9af7622598a4931f5fc2e9e4f2997c8984e32dd9f40aa8e1d314c23f32a1ca11b9d35b13e8a972dbbcddf892fc9e091a616d233c5ea01192996ac5fb0510

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEUELAAVBRMHBGW\service.exe

Filesize
520KB

MD5
f261cf3920771f890090e47678b0dd01

SHA1
3988e796fcf4f2629befefda8473a77490def9ea

SHA256
c144679262d2337605452983bc5d6a6da536c43cab35e72d098768ef76e800f6

SHA512
70fcac1a7bcfab1d61a5149da8603b4eebf2a0a6de310c868ce3e9615b867cd34a76ad4d56a7497d37d9b6c15000c56441520a59475214afc2d2e0ad33fdfc44

Download Submit
\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe

Filesize
520KB

MD5
1d211c9a008461b0939f1997817d05b8

SHA1
5fc74557c65ca2ec3748cd6aad9ffe93bd8294d0

SHA256
b858a79466d65e25169817c52e1162c7b01c9fbc11af52b95cf7fd0209c8440b

SHA512
44a72728c78474a7d1ea37b8f8da6c8efbbf3f832612c87db483e43519f019d4b9cf885c6f04c53affbb5ced1011577f09b07af82faab266f6d06f500dae9194

Download Submit
\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe

Filesize
520KB

MD5
bd5b1a00a8adef50d6f271b4c3ca101d

SHA1
4e580874daf5b663bc890314666f71b9577d6e9f

SHA256
4a59fd4260db4236457e2cb366d077496d326bf63f5393424b50cd7f5691c8a0

SHA512
42078a7dcb16287b051812db185562208e3783c046ed60b3db579947db654a1f65d4b60255945fec79cf6e2541ff2e36cbb304c8779f344bb975c6181f74e45a

Download Submit
\Users\Admin\AppData\Local\Temp\QTJCBIRHNEVMBLB\service.exe

Filesize
520KB

MD5
cc7219e8a4d4013587a6a25749909772

SHA1
90f900eef0e12829e30a7ae4727aa8011ba11789

SHA256
559f5af66163b3f3adde8527caf89a87352d5767db958ef3886790e7fa42ec0c

SHA512
b08935617adf380911bd8e6592d1f4c3e79bdfc41ac84cee06432370188f2e25cb490c966614a1913152a7d8b2e3ae3a456dd3423c916041a3cb65891eb352ad

Download Submit
\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe

Filesize
520KB

MD5
29b690fdc4d73601363c99e697e2944b

SHA1
7b3a84bfc86a87694b44ab52dbd5b9cdf76881e8

SHA256
9ac78ded27d9812896deeabbb31a80cfb658b3d6c27fabea54874fbb6ae63c4e

SHA512
0e2ddd7d2b37e7bc88e71576a83b8805433ecfaf6e15b78214db2a810b931f51bf0dedfdb15e86079657d7f6df028a94cd9ccc7686b5dae37c2c58c28c7923fa

Download Submit
\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe

Filesize
520KB

MD5
06a5b63f8ce76c987a5c9c4cef537bd3

SHA1
35312787b4d39dc50bec87ed8f0da94690e80e18

SHA256
7c97e87ed9b9ce6062d06be33cd0315902a9ad7aed24cc390d0b1245a89f8794

SHA512
1c0d21e2abc7bf014fe16af3d31ddd869e91359496085794680f067d9e040aa9efe926e3312f62981018ca634a234be6f295840c438f25f82f989c99fdc64fa2

Download Submit
\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe

Filesize
520KB

MD5
b3b518207ac3b9958ce5320a09a99e23

SHA1
aa8256ba3afb689558ef0b09ff1ce0ce0e76f4d1

SHA256
e839a5239b3431a6c49c9b1a1de192c7a269d558609f4eeacdd13b4af5bcacbb

SHA512
f935586cab14f9b96b644e8efd30b6329b41f2a2b6b0817bf772028cba8bfc131dd6fb35704506ed8319545344fda0ff9db42c12587b519a1e37695c5d0bc7b8

Download Submit
\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe

Filesize
520KB

MD5
e7ee9b99b88e602a86defb3fb3038463

SHA1
b5f9be9182949a156429eab6b0dbc0084e5ba59e

SHA256
5562a939b15c3543eea75eacdc3fe6bff1e6229c870fdb75aaa7f465788e531e

SHA512
3f0bec69494083e2b932f70dbda0738174f8b31102b9948224934df2dd057eae80cb08bbb91dfbab4bdec9f8f50457768045e4231a881a6a2e67e9fad474ada3

Download Submit
\Users\Admin\AppData\Local\Temp\UNMUIHIECJEUIPJ\service.exe

Filesize
520KB

MD5
9a48acf9f72ad8e33ddc4f2c840500a1

SHA1
6c1f8b10cee4a1f2ef93f73236ce66d9592d6544

SHA256
526ef9c1bb031fbe129a08ec86cb09b12f764066d4de577977dbc4e192ad3abe

SHA512
418edd03e2a1644c542451848cc208fb22ee98115c8c3d8c52d47488481622fa7742a5834ce2ccbe9d4cc4ef04747b95888df05abcb24ae6da3849b65231e5de

Download Submit
\Users\Admin\AppData\Local\Temp\XPJCHOXAAOTLTHR\service.exe

Filesize
520KB

MD5
b2718e5eabbd1cd6891d3bc6222482a1

SHA1
c6f829976bf4068cf2304598d50a25175905d88c

SHA256
f5639ba19cf66e0b29b481dce322224383668727ddce09bee024865c4d7d1d33

SHA512
ab933070c6543d4e59e0a8db25d86424698154af9271af97d07099bd279a0edde43fed64ccff309cbfb2f83688982b1d04f19d60afef2db2e58598b0636edecd

Download Submit
memory/2924-1002-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2924-1007-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2924-1008-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2924-1010-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2924-1011-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2924-1012-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2924-1013-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2924-1015-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2924-1016-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2924-1018-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads