blackshades | f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2025, 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe
Size

520KB
MD5

098f6a0ea095bcaf9af1895393a7e081
SHA1

bdd92ca4e6b0071fce2b5c01ad2f6f190e32cc44
SHA256

f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498
SHA512

3a8521393b5b048c35ecda2ff67c09eb2be3645733c8db5c387cd6c72da652f689685301c9e2b514a1a3b7c9859f4b76736d168488fe8d2cc10daeaae4b305c8
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXN:zW6ncoyqOp6IsTl/mXN

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 8 IoCs

resource	yara_rule
behavioral2/memory/1244-1218-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1244-1219-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1244-1224-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1244-1225-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1244-1227-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1244-1228-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1244-1229-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1244-1231-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKQ\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCRSQYKQ\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Checks computer location settings 2 TTPs 48 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 49 IoCs

pid	Process
4244	service.exe
2804	service.exe
5592	service.exe
1616	service.exe
1984	service.exe
5964	service.exe
3528	service.exe
5744	service.exe
5048	service.exe
2036	service.exe
5000	service.exe
948	service.exe
780	service.exe
5856	service.exe
4296	service.exe
704	service.exe
4828	service.exe
4084	service.exe
1516	service.exe
5956	service.exe
3452	service.exe
4024	service.exe
4308	service.exe
4848	service.exe
3796	service.exe
376	service.exe
688	service.exe
1172	service.exe
5400	service.exe
1332	service.exe
2580	service.exe
1216	service.exe
4344	service.exe
6012	service.exe
720	service.exe
4352	service.exe
6024	service.exe
4504	service.exe
4996	service.exe
5840	service.exe
4724	service.exe
5292	service.exe
2116	service.exe
3608	service.exe
3808	service.exe
4992	service.exe
4904	service.exe
1544	service.exe
1244	service.exe

Adds Run key to start application 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RISOJSDTDSTQLRW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTKUNMOAEJXWI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GUUHJECFUIPKOLX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBWYMQVCDAIB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLYFOYWGCNHIYRU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIJCWBDTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FGDMEJYAXLMHGIY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPVMUITJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACFQRNLNDQYHSXH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBUKLIRDJO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WTCDOULJNIQEFYW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAAVARMHBGV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQNBNVBTXSPQCIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELHWKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GVUIJFDFVIQKPMX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYTCWYMRWCDAJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAJASJGBRKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DVNTLCMFEGWTTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ETURAAMSXJGKFNC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIIJECJFVIPK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LYFPYWGDNHIYRUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSYPXLWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DOMKPCGBQVOEEGB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFFGBGCXSFMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AUVJWHFKXYBLQXY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSSTOMTPESAJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTYJHLGOCEWUDDX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDSXQGQKILXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KBYMNJHJMUDOTDQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCRSQYKQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WXUDDOVLJNIQEGY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBRMAHCG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHAUXBSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEKRCDQVNVJUKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\INJJVSQUPWLMELM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGGHCAHDYTGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SXUIUFEIVXJPWWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRQSNLSNDRYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CINADPQLJMBPWFR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TEDHYUWIOVVGAOX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPFXVEYNDJARIHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IGKFNBYCVTCCVLY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENEWOKFYOPMVHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JQFGYWFGOKTKITR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSITMKNDIWVHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BFVWTCCOUKIMHPE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKKLGELHXKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VVJKFDGWJQALQAN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BLYUCXNRWDEBKCH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QOSGKFDUSIIKFBD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPFXVEYNDJBSJHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WHFJEMBYCUSBBVK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIRNIDCSTQLR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\STBOOAIRYJFAQJK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPOQLJQMBPWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VJKFEGWJRALQANY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLUDXNRXDEBKCHW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OEAWVMCQMKYPBOR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NFVEMAABWBSNAHC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SXUIUFEIVWJPWWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VCUFRQRNLSNDQYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVWKWHGKYBLRYYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YEXHTSUPNUQFTBJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YEWVRSFLSSDWWLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJWSBVXLPVBCIAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CINADPQLJMBPWGR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDTCKUQLFAFUVSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TSWJANJHXVMMOJC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOGMTEFSYPXMWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFDHCKVXSQSIWEM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROWIP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IJCJJSNWNCLWUTX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRVHIFOAGLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RWIGKFNBYCVTCCV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JBRAISOJDDSTQAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VIMIGWULKMHAEFO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIROIDCSTQLR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FQNMQDHDBRXPGFI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GYJVUVRPWRHUCLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDDFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWEMDX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YWUMCQLJYOBOQLE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVLFDKTKPHYPDNE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDYUPCYJEJYWFRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQTSUGKPDAOXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SQUPXLNFMMVRQFO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJBSKGBVLMJRDKO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NSOCPAXDVUQREKR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPXLLMHGMIYLSC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IOTECGBJUWRPSHV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EYDOLKOBFBPVNEE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAYTRAYTJXFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QXIEPIJSVXIJGPB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NIXVLVPNQBGLYKS\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1544 set thread context of 1244	1544	service.exe	299

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3380	reg.exe
5204	reg.exe
3656	reg.exe
5644	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1244	service.exe
Token: SeCreateTokenPrivilege	1244	service.exe
Token: SeAssignPrimaryTokenPrivilege	1244	service.exe
Token: SeLockMemoryPrivilege	1244	service.exe
Token: SeIncreaseQuotaPrivilege	1244	service.exe
Token: SeMachineAccountPrivilege	1244	service.exe
Token: SeTcbPrivilege	1244	service.exe
Token: SeSecurityPrivilege	1244	service.exe
Token: SeTakeOwnershipPrivilege	1244	service.exe
Token: SeLoadDriverPrivilege	1244	service.exe
Token: SeSystemProfilePrivilege	1244	service.exe
Token: SeSystemtimePrivilege	1244	service.exe
Token: SeProfSingleProcessPrivilege	1244	service.exe
Token: SeIncBasePriorityPrivilege	1244	service.exe
Token: SeCreatePagefilePrivilege	1244	service.exe
Token: SeCreatePermanentPrivilege	1244	service.exe
Token: SeBackupPrivilege	1244	service.exe
Token: SeRestorePrivilege	1244	service.exe
Token: SeShutdownPrivilege	1244	service.exe
Token: SeDebugPrivilege	1244	service.exe
Token: SeAuditPrivilege	1244	service.exe
Token: SeSystemEnvironmentPrivilege	1244	service.exe
Token: SeChangeNotifyPrivilege	1244	service.exe
Token: SeRemoteShutdownPrivilege	1244	service.exe
Token: SeUndockPrivilege	1244	service.exe
Token: SeSyncAgentPrivilege	1244	service.exe
Token: SeEnableDelegationPrivilege	1244	service.exe
Token: SeManageVolumePrivilege	1244	service.exe
Token: SeImpersonatePrivilege	1244	service.exe
Token: SeCreateGlobalPrivilege	1244	service.exe
Token: 31	1244	service.exe
Token: 32	1244	service.exe
Token: 33	1244	service.exe
Token: 34	1244	service.exe
Token: 35	1244	service.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
4524	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe
4244	service.exe
2804	service.exe
5592	service.exe
1616	service.exe
1984	service.exe
5964	service.exe
3528	service.exe
5744	service.exe
5048	service.exe
2036	service.exe
5000	service.exe
948	service.exe
780	service.exe
5856	service.exe
4296	service.exe
704	service.exe
4828	service.exe
4084	service.exe
1516	service.exe
5956	service.exe
3452	service.exe
4024	service.exe
4308	service.exe
4848	service.exe
3796	service.exe
376	service.exe
688	service.exe
1172	service.exe
5400	service.exe
1332	service.exe
2580	service.exe
1216	service.exe
4344	service.exe
6012	service.exe
720	service.exe
4352	service.exe
6024	service.exe
4504	service.exe
4996	service.exe
5840	service.exe
4724	service.exe
5292	service.exe
2116	service.exe
3608	service.exe
3808	service.exe
4992	service.exe
4904	service.exe
1544	service.exe
1244	service.exe
1244	service.exe
1244	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 1620	4524	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe	88
PID 4524 wrote to memory of 1620	4524	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe	88
PID 4524 wrote to memory of 1620	4524	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe	88
PID 1620 wrote to memory of 5928	1620	cmd.exe	90
PID 1620 wrote to memory of 5928	1620	cmd.exe	90
PID 1620 wrote to memory of 5928	1620	cmd.exe	90
PID 4524 wrote to memory of 4244	4524	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe	92
PID 4524 wrote to memory of 4244	4524	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe	92
PID 4524 wrote to memory of 4244	4524	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe	92
PID 4244 wrote to memory of 5256	4244	service.exe	93
PID 4244 wrote to memory of 5256	4244	service.exe	93
PID 4244 wrote to memory of 5256	4244	service.exe	93
PID 5256 wrote to memory of 4444	5256	cmd.exe	95
PID 5256 wrote to memory of 4444	5256	cmd.exe	95
PID 5256 wrote to memory of 4444	5256	cmd.exe	95
PID 4244 wrote to memory of 2804	4244	service.exe	98
PID 4244 wrote to memory of 2804	4244	service.exe	98
PID 4244 wrote to memory of 2804	4244	service.exe	98
PID 2804 wrote to memory of 2616	2804	service.exe	101
PID 2804 wrote to memory of 2616	2804	service.exe	101
PID 2804 wrote to memory of 2616	2804	service.exe	101
PID 2616 wrote to memory of 2932	2616	cmd.exe	103
PID 2616 wrote to memory of 2932	2616	cmd.exe	103
PID 2616 wrote to memory of 2932	2616	cmd.exe	103
PID 2804 wrote to memory of 5592	2804	service.exe	104
PID 2804 wrote to memory of 5592	2804	service.exe	104
PID 2804 wrote to memory of 5592	2804	service.exe	104
PID 5592 wrote to memory of 4076	5592	service.exe	105
PID 5592 wrote to memory of 4076	5592	service.exe	105
PID 5592 wrote to memory of 4076	5592	service.exe	105
PID 4076 wrote to memory of 3936	4076	cmd.exe	107
PID 4076 wrote to memory of 3936	4076	cmd.exe	107
PID 4076 wrote to memory of 3936	4076	cmd.exe	107
PID 5592 wrote to memory of 1616	5592	service.exe	109
PID 5592 wrote to memory of 1616	5592	service.exe	109
PID 5592 wrote to memory of 1616	5592	service.exe	109
PID 1616 wrote to memory of 3844	1616	service.exe	110
PID 1616 wrote to memory of 3844	1616	service.exe	110
PID 1616 wrote to memory of 3844	1616	service.exe	110
PID 3844 wrote to memory of 5708	3844	cmd.exe	112
PID 3844 wrote to memory of 5708	3844	cmd.exe	112
PID 3844 wrote to memory of 5708	3844	cmd.exe	112
PID 1616 wrote to memory of 1984	1616	service.exe	113
PID 1616 wrote to memory of 1984	1616	service.exe	113
PID 1616 wrote to memory of 1984	1616	service.exe	113
PID 1984 wrote to memory of 1860	1984	service.exe	116
PID 1984 wrote to memory of 1860	1984	service.exe	116
PID 1984 wrote to memory of 1860	1984	service.exe	116
PID 1860 wrote to memory of 764	1860	cmd.exe	118
PID 1860 wrote to memory of 764	1860	cmd.exe	118
PID 1860 wrote to memory of 764	1860	cmd.exe	118
PID 1984 wrote to memory of 5964	1984	service.exe	119
PID 1984 wrote to memory of 5964	1984	service.exe	119
PID 1984 wrote to memory of 5964	1984	service.exe	119
PID 5964 wrote to memory of 5200	5964	service.exe	120
PID 5964 wrote to memory of 5200	5964	service.exe	120
PID 5964 wrote to memory of 5200	5964	service.exe	120
PID 5200 wrote to memory of 792	5200	cmd.exe	122
PID 5200 wrote to memory of 792	5200	cmd.exe	122
PID 5200 wrote to memory of 792	5200	cmd.exe	122
PID 5964 wrote to memory of 3528	5964	service.exe	123
PID 5964 wrote to memory of 3528	5964	service.exe	123
PID 5964 wrote to memory of 3528	5964	service.exe	123
PID 3528 wrote to memory of 4536	3528	service.exe	124

C:\Users\Admin\AppData\Local\Temp\f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe
"C:\Users\Admin\AppData\Local\Temp\f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHGTAX.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YEWVRSFLSSDWWLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:5928
- C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe
  "C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYVBTX.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5256
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVJKFDGWJQALQAN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BLYUCXNRWDEBKCH\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:4444
- - C:\Users\Admin\AppData\Local\Temp\BLYUCXNRWDEBKCH\service.exe
    "C:\Users\Admin\AppData\Local\Temp\BLYUCXNRWDEBKCH\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIGKFM.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSDTDSTQLRW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe
      "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKYXJR.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4076
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VIMIGWULKMHAEFO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIROIDCSTQLR\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:3936
    - - C:\Users\Admin\AppData\Local\Temp\IBQAIROIDCSTQLR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBQAIROIDCSTQLR\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1616
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempABPYL.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXUIUFEIVXJPWWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:5708
      - C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWGTEC.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CINADPQLJMBPWGR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWFFOK.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5200
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WXUDDOVLJNIQEGY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWGSEC.bat" "
        9⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CINADPQLJMBPWFR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:6044
        
        C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTRVQY.bat" "
        10⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GUUHJECFUIPKOLX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDAJXF.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FQNMQDHDBRXPGFI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "
        12⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHAUXBSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "
        13⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAJASJGBRKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DVNTLCMFEGWTTBP\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\DVNTLCMFEGWTTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DVNTLCMFEGWTTBP\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVQQFO.bat" "
        14⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INJJVSQUPWLMELM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKJXEU.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TEDHYUWIOVVGAOX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDVTCD.bat" "
        16⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ETURAAMSXJGKFNC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFGQLY.bat" "
        17⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSWJANJHXVMMOJC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYPXMWMI\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYPXMWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYPXMWMI\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LYFPYWGDNHIYRUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDDFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHIFO.bat" "
        20⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNHIYRU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDYBNK.bat" "
        21⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVXSQSIWEM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIWESR.bat" "
        22⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DOMKPCGBQVOEEGB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
        23⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QOSGKFDUSIIKFBD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBSJHS\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBSJHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBSJHS\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJRGPC.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUVJWHFKXYBLQXY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMIQHF.bat" "
        25⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NTYJHLGOCEWUDDX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGOGD.bat" "
        26⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WHFJEMBYCUSBBVK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBXWAO.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SQUPXLNFMMVRQFO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJRDKO\service.exe" /f
        28⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJRDKO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJRDKO\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHJSOB.bat" "
        28⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWUMCQLJYOBOQLE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVLFDKTKPHYPDNE\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\SVLFDKTKPHYPDNE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVLFDKTKPHYPDNE\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTWYJK.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "STBOOAIRYJFAQJK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLTCNS.bat" "
        30⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGDMEJYAXLMHGIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe" /f
        31⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
        31⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQRNLNDQYHSXH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGPGEP.bat" "
        32⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IGKFNBYCVTCCVLY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVBTXS.bat" "
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VJKFEGWJRALQANY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLUDXNRXDEBKCHW\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\CLUDXNRXDEBKCHW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLUDXNRXDEBKCHW\service.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMFIJS.bat" "
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OEAWVMCQMKYPBOR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAHC\service.exe" /f
        35⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAHC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAHC\service.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOMQLS.bat" "
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWFRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe" /f
        36⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPUHKL.bat" "
        36⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JQFGYWFGOKTKITR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe" /f
        37⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "
        37⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCPAXDVUQREKR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPXLLMHGMIYLSC\service.exe" /f
        38⤵
        Adds Run key to start application
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\YQPXLLMHGMIYLSC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQPXLLMHGMIYLSC\service.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDLCXA.bat" "
        38⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IOTECGBJUWRPSHV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempABPYL.bat" "
        39⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXUIUFEIVWJPWWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VCUFRQRNLSNDQYH\service.exe" /f
        40⤵
        Adds Run key to start application
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\VCUFRQRNLSNDQYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VCUFRQRNLSNDQYH\service.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFFYOJ.bat" "
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTCDOULJNIQEFYW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe" /f
        41⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKOOIA.bat" "
        41⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IJCJJSNWNCLWUTX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLC\service.exe" /f
        42⤵
        Adds Run key to start application
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLC\service.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAACER.bat" "
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVWKWHGKYBLRYYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUQFTBJ\service.exe" /f
        43⤵
        Adds Run key to start application
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUQFTBJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUQFTBJ\service.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLYGPG.bat" "
        43⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWIGKFNBYCVTCCV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe" /f
        44⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFXVEF.bat" "
        44⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BFVWTCCOUKIMHPE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBHVD.bat" "
        45⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EYDOLKOBFBPVNEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe" /f
        46⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQYBUU.bat" "
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQNBNVBTXSPQCIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe" /f
        47⤵
        Adds Run key to start application
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
        47⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJFDFVIQKPMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe" /f
        48⤵
        Adds Run key to start application
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHMADV.bat" "
        48⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QXIEPIJSVXIJGPB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe" /f
        49⤵
        Adds Run key to start application
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBAYEW.bat" "
        49⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KBYMNJHJMUDOTDQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKQ\service.exe" /f
        50⤵
        Adds Run key to start application
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKQ\service.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKQ\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKQ\service.exe
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        51⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        52⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKQ\service.exe:*:Enabled:Windows Messanger" /f
        51⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKQ\service.exe:*:Enabled:Windows Messanger" /f
        52⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:5644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        51⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        52⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        51⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        52⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:5204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAACER.txt

Filesize
163B

MD5
185970797f2203074a9ba4ec4366a5a8

SHA1
2901c7c87abdbe2cd81a54e76c72986545ead65c

SHA256
fe45befbd7a44d1f547d7fea896701f6ffae0a53759b2b9865b6ea54bc49a50d

SHA512
fdc854c53c4c38afbebcc7ab92d295b48555468e12cfeae70ab0ae3de1f9f69fba784b6b1fd056abba06fcc820e0991f301c5e6a53a5978594ca22bae320cf19

Download Submit
C:\Users\Admin\AppData\Local\TempABPYL.txt

Filesize
163B

MD5
96b4ca64d7342dec2f9c031d813bf5a8

SHA1
92a2a016d2b0a5675c55d68f49bd49b0f35504e7

SHA256
db82a69e00689304f91706cb74399b74737e80d518f269683a46c9ca10ea23f1

SHA512
33e7dd4f90a225ad4e92cec3b665a4bb2b10303b8e6903b823dcda97dc5b208942919169fd53e110ac452b9673f9e26f63dfc23bc3d7e4589063d693942262a4

Download Submit
C:\Users\Admin\AppData\Local\TempABPYL.txt

Filesize
163B

MD5
4df5afdc2573d2976d07cd921c69be5c

SHA1
163b53a00c5f09127940c6823637e148641d629e

SHA256
ab9e6a3928985cf01d78b40e9a52774ac86b47acedaeb7330f3ca007a4bdd3f2

SHA512
0311b4150a3ca965199436dc29db9d942247717a8eb3e1b9a10a745d9bcb956a24a0f34f8e2e7235f979cb3ae29eed64b82f989a09e4a132e4eca1a2fb5d2838

Download Submit
C:\Users\Admin\AppData\Local\TempBAYEW.txt

Filesize
163B

MD5
79d50ea716d44a3d4fbf4fa6448ba7bb

SHA1
94adc30e1b69b36948e00ec8b4c58c18c252f570

SHA256
57baaf5706e1c93818fd69d420fb62a65c9d42fb3afa373c55b5e673d7136375

SHA512
6c7a01f7072f83ad8ff336e304e72aad9f0357ceefa9171c57a35481a41d4e8371626c7288b2b0039150adf11ccdb116891da9a1fa62501019306c5de4482a11

Download Submit
C:\Users\Admin\AppData\Local\TempBXWAO.txt

Filesize
163B

MD5
d372a2327f6190393e497bfaede7c078

SHA1
a39b3ca1970ce08bed1c4aa8f80a8ce45dbf0298

SHA256
1dc13ce7c583590aec4b68f850f8d8c69411600c5e88f494cc3d037565c03332

SHA512
5da75a195a93b8a6dac5626a17a403f47f621555807e5cd67a3f0d381ead88996b06f55081488c28040fa0ec49bcc4e749b3f540995182d47c6ff3f0a6bed416

Download Submit
C:\Users\Admin\AppData\Local\TempDAJXF.txt

Filesize
163B

MD5
698f7f031083fa92063c2917e8441283

SHA1
f4a7e77c70f2e7642ef344db4666e150116b51ee

SHA256
7daa6e3bec9e90e14699241e136536f952c6e4b4c182bc52c4b151726c8f88ea

SHA512
e05f88f99bcac2d50705a38c1fdbd1e125cfed5acc7a8c8167bb9a6da2677f644261fe79bcdb23cf87097cb85bb451e66af2a822ef73ad39bcb3beb1868ea12c

Download Submit
C:\Users\Admin\AppData\Local\TempDLCXA.txt

Filesize
163B

MD5
863d4bd31506e1d3d54a609f9d0c14d4

SHA1
dcfbc8c033adbdd286603437284a212730136dde

SHA256
f62bd1a70b3afa90eeeda98b7e620784550b1e22be4e248185c31535204760bb

SHA512
a379f0a0cfed902503af7dff0e823caca8d6e2cf50f52d44363e6f1e56d5e35078bf703f1b32f270ec9d470530ba94a30d0eabaad7472d7c5bf91a91def207d0

Download Submit
C:\Users\Admin\AppData\Local\TempDVTCD.txt

Filesize
163B

MD5
9f3250dd22ab0c93b44cfdd1f2ab1b80

SHA1
f8a7839164211feeb5af9e738d88c28faa09c791

SHA256
0d96c9886c6a6f848b03094122ce85f69950a440f8e2bc8ef404d170af1e5c27

SHA512
6c25b6dc5ca2e702baff05d52ce1ccae92d8bf3269904ef6d5fcd5d915223a8b7ee6959b93b77c8dd123d7d4bf250a1d119af24d865b388b31495e34ff80be4f

Download Submit
C:\Users\Admin\AppData\Local\TempDYBNK.txt

Filesize
163B

MD5
4b6d47751dfd37738277cde9ea821f56

SHA1
89d9dd9b82f6c6f682b22c0b21e1b9479884640b

SHA256
772c800aa5c76ab47196bbecc34bfbee419d02e90f6de096aafbbb6a77a0dec3

SHA512
21dfe78a52933747ebb17d8a8b3d0b4dd67282e8e572a02f91fb300d50b4a98a7467882737a183db455215d7c446fb41c64469346699dba1c12cf15026f474d8

Download Submit
C:\Users\Admin\AppData\Local\TempFFYOJ.txt

Filesize
163B

MD5
c40ccc6024a32fa2c1e0ba2c35a0eeae

SHA1
5d886dd1fb775cd8affd36f73b5e126e397baf00

SHA256
236db63c9d6c1927e670efe893af4b151f28357d3cf2a9014ddd25dee444fe6a

SHA512
9c64772c50c1c4dfdad08a0225b21461498b949e0a4e05de1745262755c7f13fe16465dccfe8e06dc64ea9f345381341c4f288b04f1833b54b7173df2edcc5ce

Download Submit
C:\Users\Admin\AppData\Local\TempFGQLY.txt

Filesize
163B

MD5
4a6aafdcddca38fd4452f4a4cdd6337c

SHA1
e22b5745833dc865756e52467243985918520f2b

SHA256
403b6e1d55b724ec8c95b4b3a8707e93e3f3868e031cd2990df06830a8854e1c

SHA512
1d3f33469ce096d740d57891285aabcfc1cb76dc3affaf6c5238e8a9cf034a8342c69a34febba521eaa03944a54b222ed53dc8beae63a212f869c734c660a1f8

Download Submit
C:\Users\Admin\AppData\Local\TempFXVEF.txt

Filesize
163B

MD5
33e2ea6e9527e6953f2d9b1568478147

SHA1
3986a392ea90a124f26e717d7d4c0a0827f2c7bb

SHA256
bac6980728eceb8e8075c47b6cf1b90b7f4bc231800f910193eba816a11e70ad

SHA512
099d97fd8295568004879998d283e210699e3a98f402efa79fd13518d82b7d92d693fb50553cc3c56d026d1a838e0449dc01e67eaf9975023fea1e4687d77041

Download Submit
C:\Users\Admin\AppData\Local\TempGBHVD.txt

Filesize
163B

MD5
55386822b98d8ed4a5bcd53a2af0035c

SHA1
a3ab20041af41179863e96d11dcccd0cd0b59bd2

SHA256
4fb2ff9347ddf1ae2a8479001afe115e8619a53aab6a4f9b78936c386dbb917f

SHA512
20e563b7612f5e27712bf31ba8c2a1e672cee48cb7de863ed8ac7f3811e6fce325db375557723a300c545821a1df9fb17bae99dd008a50283e0aa6cde7b2e35a

Download Submit
C:\Users\Admin\AppData\Local\TempGPGEP.txt

Filesize
163B

MD5
5057c7deaee0be38c6a572c4924394c2

SHA1
ff4c90ce5cf750d7672070cbc204702728108dc1

SHA256
c4919d240732fae3df7e46642238888548ea76972ca7195a847fd005991f7b60

SHA512
a429c31158dd27554d917c7e3351a62f2743784ad140fa2fa80645b3989bb304f4b6446422e39e064a6f81e90cba00fefb25011ba0e555ab998a7a8c02d38775

Download Submit
C:\Users\Admin\AppData\Local\TempGUCQP.txt

Filesize
163B

MD5
4ff1d66e34088078840e9bfb6eedb146

SHA1
8d38af5d68d2bf926e09b6078a60bd1a85eb4b43

SHA256
9365ebd186294f5c3a7613c2f779d3eeed6037afa5c5dd1362c1bfbd14c9628d

SHA512
b9f8854a0e4573fca547d497f0e9d49d171f1a1cc65acac21781b0bc91a45c332c313b011666b9046acc954499694dc099c392a5601717a0984d1b6664f51e2d

Download Submit
C:\Users\Admin\AppData\Local\TempHGTAX.txt

Filesize
163B

MD5
41394e9027dd4bf5186dda21cd506523

SHA1
197acc312e27c23cdf8e6ca59e1a403dda55c3e2

SHA256
850e76c30989f78039777785057c9d85437fb7b0819d26440c25c641ea841024

SHA512
73ecfbb05fe3640487f2a73d9f928e6319acd4b6c8ba8207f3fff94c35f164c4ea7fed21b2ab8ff5474b05400436b9e301f5339d2b696a1df1b539cf8d417901

Download Submit
C:\Users\Admin\AppData\Local\TempHIFOA.txt

Filesize
163B

MD5
77f2157bb7bde6ab023c9b51a4a9fd81

SHA1
247b2fe1329f6f339ec27151e252297cb62e5e71

SHA256
3a90cc6dce1c3a8104e80a959285c642f9f365a7b369202c9a6107b74959b87c

SHA512
9d7b6927642ac997930fca5ac7e3d003c9288c148207459faf1bb1a14e0a21d8a983b3b33412f732b14f36731451ee45cd2c39b67b3d4476c974866372314bb3

Download Submit
C:\Users\Admin\AppData\Local\TempHJSOB.txt

Filesize
163B

MD5
d5b42124a1ec00265595c03beda17c79

SHA1
60c7ab6de7d7f9e6e3f23f4c9f68c53b066740b5

SHA256
aa664cc6e60297fe391f3ed90b2ead1fe17d4dc0647ec25530e403903b722a0e

SHA512
b4e185432b89c15ad8b21d65e870df23d5bda77a5eda29fd1c8308056689c94007cfaefc9a297d743d1b889bf1fda889df84c046887de7506f5046da81156459

Download Submit
C:\Users\Admin\AppData\Local\TempHMADV.txt

Filesize
163B

MD5
b1ac7387a436ba37ee3b7b12dee66424

SHA1
8f839dca1d37be1203098e6ea2faf527e3c890be

SHA256
c4ffb9bf8a7613ba16e115235d681366cfcf5edd0f7a8ff4403c3b44b42712c9

SHA512
d735cd4b84dfc4cc42ecffd76202e389ca982c48bc98f7131f57eb6f9f6c708bf68e929b1030dc1919a3aa2f953697abae5cc72d50e662a9a27b5675288a5470

Download Submit
C:\Users\Admin\AppData\Local\TempIGKFM.txt

Filesize
163B

MD5
259fcf2d77cd48c375b929493d9e95d0

SHA1
ae081b27b04fa7248d5a76d5a71b4cf3abb748cf

SHA256
03d5d4132156b47723a4dbb1e4c4972cddb4849d49c11bd99b16b9b0741b3253

SHA512
daa5860fd72a954f303015944d10875b968a5e40d2631e7c110696447747ceac4e47d29f3c523ae1d576c48dfbc14a1ab2f5b0f18ef4ae8686b6a53fef50dcfa

Download Submit
C:\Users\Admin\AppData\Local\TempIWESR.txt

Filesize
163B

MD5
8da3efe615536c6d6ebb1b2808cd0992

SHA1
eea2ed0e2743c7252158cbc8d158438a6f4a2ccf

SHA256
c866ffbb1d425c57c4d12b5447ec965f2e4a669e3161773f9228734dae7aa54a

SHA512
410b807a36a0c0f5225059724bb7107ffecd81e452eeaa463fe30f3d87589db4a1e6efdabbcd558549a48d7fcd1d359b5e69912590cab63144ffef8cb139d520

Download Submit
C:\Users\Admin\AppData\Local\TempJRGPC.txt

Filesize
163B

MD5
557fa2fa33afb66eda036be8498d62be

SHA1
1e6934f06628a91bb0caeb02bc9b0cba7ce4af9d

SHA256
cd08c2a2d004338565de275b26fd31f88ea7f07816add82a687b100d21ca1d46

SHA512
86200222cff4bd3d75e4ed305ef9fcfcb7447d66524ca2d8429fabe3815a15c3040cc20453eee80534e90de9ff78225b744cb74ca9a15005f5cb854778f7a56c

Download Submit
C:\Users\Admin\AppData\Local\TempKJXEU.txt

Filesize
163B

MD5
3382cacb44e2058e3e113a645804d135

SHA1
01c4c8181c5412ddca1d14083b22bacabef260c7

SHA256
12210cd048ec25e5d9d8479db9ee39654b86fae74c42d8f8f600c76d75192ce1

SHA512
b53457ae0866ec613c43ad6244510fbb7e581ae18d49e4cf026448294f627de8f2cdb0207e56c11f028f57f8c4cc88709250081f160f5261470a028559954aa3

Download Submit
C:\Users\Admin\AppData\Local\TempKOOIA.txt

Filesize
163B

MD5
44a7d8a49da70d1cb84394652021767f

SHA1
5340b959ad96bb290628d47c0d19cccf36b5a418

SHA256
7cd9c63fd2b2027efbab2d5249e3527ab1b7d4c3f1582e65ee0bf24e1c1c5fd6

SHA512
719d2183b1e4a1afe5d6eb33a9c5c8e19df09ce6e79bf4c2e8c521a06c66fc15ed380a948495c3c80e9693d13a02cbbb5358c5f81ec0a1ce685608de667d171a

Download Submit
C:\Users\Admin\AppData\Local\TempKYXJR.txt

Filesize
163B

MD5
459c155e9bab597f25e0067c40ce2096

SHA1
528950b5c46a3d97225b9aaca50e851169814b6f

SHA256
ec470917b7b63c01f00bd3b186d1a705651282cab6c06f1c4c5d8473c35f6aff

SHA512
6723b3cda6cb7e2a236e15c1bf7d6b7e6849888c2d6841c5e3bbb1f68ce5f6f408f132a4845f34962200addd79fd8c867b90de88fb907433daa81ab21f8b7c0b

Download Submit
C:\Users\Admin\AppData\Local\TempLIRDJ.txt

Filesize
163B

MD5
fd50b11471ea34b28ea4baf4cf00447b

SHA1
7da4a4a45ebad76a7483aa0aa190263e26c5988d

SHA256
16a4179f62df9a3eecb91dc59d53bc909be3c905bfe923ca44764f1432329705

SHA512
997af4e9cfcc8962f5e6e0998087c5b71c0ec7c2701cfed0e5d0765640fb221167911a141ca279d57149228f3272bf2157ee6132df0fd28fdf8c9cea85419c61

Download Submit
C:\Users\Admin\AppData\Local\TempLTCNS.txt

Filesize
163B

MD5
a1092701483796a3e5d197525ba70983

SHA1
beed98b4c01fec6dced35392a384c65af50e3cb1

SHA256
11607c9f0d6bd345daba563e502b233179b8b7e2cc40a8586ebb46073a418c35

SHA512
ae29f88ad91eca4d75596da9831288d5d3a26e840c2224ca0b210053f81ecff212afb8cf5a8aa467e192c15ded21cc098731eab808471c58923acd8d4941371a

Download Submit
C:\Users\Admin\AppData\Local\TempLYGPG.txt

Filesize
163B

MD5
2538190c6062703177adfabf523b9e75

SHA1
85c7ead20672b32c7efdfc2a759c252cd82bac7e

SHA256
16f5e79997c3314eb05c63dfb750478c20bf0f0b485544e73fb8521214643c42

SHA512
3e99bbd7c635083eb18b1f53f4abcee43429493725ce6cc4b557a7fbf8f6fc0a61315e85701b42ce2f52f16c60cf48bb5dfea3b5061db8c54fc79276fd67d846

Download Submit
C:\Users\Admin\AppData\Local\TempMFIJS.txt

Filesize
163B

MD5
1cd1beee069ae42365badbd9dad7b65c

SHA1
65bb15bbae2c6f2c3096c38bbaba142629f90c7f

SHA256
c1c89ec523f5fe56d0e3a3a80550a9befedf1f04597ff4875072e8e48155d517

SHA512
ddf2f1ae74d9f92ee76e52f12f4ef114cf904e7f4e83a5d64dc90e53687076f8e68b56abcfca1ec657126ba2ff09136e6ef7de7726981b4b24d80174d5f9430d

Download Submit
C:\Users\Admin\AppData\Local\TempMIQHF.txt

Filesize
163B

MD5
d36f52b72f890f9816f82108f3219ba8

SHA1
d55ed4e31d75478bd71972708ea7767d5670a119

SHA256
fa0a5170bd97a8bf6283957de765c139b321888054f32ac7a03f71f19fa92da4

SHA512
b99dfa0fed5f4dbfa12ae996c73384cb5fecf57516793362bff8a022e087d64e6dc2836a5f6187a121547a400a4f325b337cbb356ed1da25e282824cc7976634

Download Submit
C:\Users\Admin\AppData\Local\TempMIWVH.txt

Filesize
163B

MD5
84892a5454aaf392bbcfee1cf8a3cdfb

SHA1
f9880bb88e1f3ebd625376f45c55f66d563e254f

SHA256
a91a600d24fd7392c09b4fd3710d78d12e21fab1a5db1e32b9f0cb954d563958

SHA512
b6c6ca4e99085452383b5558a86036531ec42ababb894d90e12e317554c80d8f3d39216d51af57d2f5216936915b45d6d8c232c553831116151820f35d65b66c

Download Submit
C:\Users\Admin\AppData\Local\TempOMQLS.txt

Filesize
163B

MD5
9f996b54a13d663907c4f20701de7171

SHA1
e91a9522d2f4c7e947f72b76af7ccb1732c68f66

SHA256
118ba6c8e8580d7820c7359f787f87a946a3960e87575536c2a7154e77e6a2f1

SHA512
ba495db0b354dc66583103ca85428ab80f5cf5e95d208977c8042d658bc1bd044fc0f679ca50a993ebc438f5806ef9dfc0579a258e8ae9c9d3c493f01f74cbd4

Download Submit
C:\Users\Admin\AppData\Local\TempOPYUB.txt

Filesize
163B

MD5
f5384b44e8e5e967c113012b496349ff

SHA1
81eb9aebe47f4ce35b312f234ca6e33bc81325cc

SHA256
5eaa355f0dc5eb39ebfe20614e41728909ff00ae656998aa368f043c52bbf5e5

SHA512
5f9f8d6696d8f0cdd1eda4cb8285d9c2036a4fe636141b09f330487caa94864832fcb00f53f22f2427b80db49bd7f175538a07f3e93f737d21699c6dd1f9142f

Download Submit
C:\Users\Admin\AppData\Local\TempPUHKL.txt

Filesize
163B

MD5
c67eb0323017b2d8024deebd8fba513c

SHA1
94ef6c95f687080199f6de10dbf22245ed37b5fa

SHA256
fe3c105429491db683860f9ebd088a661a57a9813cc71d54fa49371f90718daa

SHA512
3fe9e77d1b530362376d97909c8a405156c22c7c04987715bbe18e76c0b03db515e06ab5d924be49945f3b40a14f9695110679342dcfbb7acddcbc0a398b8f51

Download Submit
C:\Users\Admin\AppData\Local\TempQYBUU.txt

Filesize
163B

MD5
da20af3ca3dbd6a196bdfa7c8cd6c44c

SHA1
a3e81f3c07be2c0e0b9ed76426e444194afd7fb5

SHA256
4683007f34d1c87274ec8a80f3842a7f0f9f819a91353e2fb80956168731f7d1

SHA512
a425082c3e141d6038981355c0a4a659625f4339d68da13d5e92ee109ea04c266fdc1a1b316fd8e4490feb20586e2aff1a8db530192c75701bb6c536491f5daa

Download Submit
C:\Users\Admin\AppData\Local\TempRCVVK.txt

Filesize
163B

MD5
aed2566b34c5a80a2c6349bb95d5f09c

SHA1
92ec497b21505affc5800d9969c73a47f88527af

SHA256
6005f8e5baf7daafdf52ae2d66471f496046fd49707fc687ad291792983934e6

SHA512
36fbf0c891d9f646a01a5df607fe1ef0e81a798d0beb15df352955e342712649aefdb4e17731faef3ece678354a54d523a6956ccd5d728ad49d012ab230e0b29

Download Submit
C:\Users\Admin\AppData\Local\TempTRVQY.txt

Filesize
163B

MD5
f7c923a843e0d95ebe69f776eb230133

SHA1
44a53b27a56e0857c377fc5600c86a57fd377503

SHA256
aa8fe656b91eade8b15c0617bc0dbbe492a24bb550cc4630b8f6c230ad2996a4

SHA512
b4a1ed013bc2a296f14280e5b1450b699d6a4303e1e346d25effefea96d5bd3048c455192e8cdf0983549556550b0e5895dbc82dfd4f8b3bc520d081e3507895

Download Submit
C:\Users\Admin\AppData\Local\TempTWYJK.txt

Filesize
163B

MD5
bd292743a63c1ae4f55575bd1f7f2c09

SHA1
89586a41bca2e68e1c94975ca4cdb30b3c0e8934

SHA256
bf667f4d97fe3e1ddd0af325c7cf7605772e71934d766ba734a2e09ba7cc9c67

SHA512
0fa7fe60b2c89d700477d131ac74f50a1e2f70b9bb0411c5c6ca5a0511a580f42393545fff28eaef153623f32ac1cd425433014c8827c29ac1af0dcdbec55eff

Download Submit
C:\Users\Admin\AppData\Local\TempUASWR.txt

Filesize
163B

MD5
61101519a3da1228d0e0498cf23f87f5

SHA1
23984750bbaf6fceb0c0fbeb529e99639b05e8be

SHA256
9c159a7dda38e907392f7f5f8eca5e53c87da914822ec84ede5bea5c8c8d37ac

SHA512
26ba91b2024c784543aa8b1d4ee53960426804d7e818bc01b7ee35966601d6d5cf9a520ab631fe0f86285f4ad5cfcf7796a81db944e4f89b6842e4da25103a71

Download Submit
C:\Users\Admin\AppData\Local\TempUFEIV.txt

Filesize
163B

MD5
80fcdb7f0d083ecadec5420f5524c4df

SHA1
04f86b3afa07b6fbe7e2591bdb3799cc2e78750b

SHA256
743bbb4430056d2e432396ef2bdf38480b70afcd1ecbb099e087614bf01377fa

SHA512
7bb9b15afb6a60fe1a635d4eaa43e4dfbadf5580c2f4cc41f38cfed8b1c850a5a0391b647eefc3c4cb6b0936fc79f279e799d04df5b99c1acd32c97dbf80da04

Download Submit
C:\Users\Admin\AppData\Local\TempVBTXS.txt

Filesize
163B

MD5
70df44cb0a12e5fd5f9a613756ea7332

SHA1
560f202c68244336231b3919c1c3d6d2cb977ab0

SHA256
6f3a21fb17a05f8976c3aa102c3a64da41ae1b9fae3acb88a8b2055ca2e27ef6

SHA512
b53a0c868354a439d0d889e42c636328d02a5dbfffdc10e755b8937d97c1345f2791c851be717abb291e5ae4a4f82c484237a21cd31783e2d1b6c2d166aa4e8d

Download Submit
C:\Users\Admin\AppData\Local\TempVHIFO.txt

Filesize
163B

MD5
dbfd9b6db7038be035b143a5c27f6de5

SHA1
4ea42c16695201dcc20a48815f3af93c59c892d7

SHA256
b90b026d1eb0eba3c20292a65232d3beeb08b012d29063d427879b455366a2cc

SHA512
03b713d9248e078de7c3d2262e504d7454076bbffce59f94bb8dad5e394a0eeecacec6eba35a8f5f67972225c20873e4f17affe70d573a7d57ae0a952f958403

Download Submit
C:\Users\Admin\AppData\Local\TempVQQFO.txt

Filesize
163B

MD5
1399dbc77f546e4388630f5161e09568

SHA1
47445eaa0bd8b653b4b995f4f366a7441a0ebd16

SHA256
bcc4d933529646d58a38068e0b0564b9a49ee9e39eb89e06e5f31dff1fc07518

SHA512
24204a5bef0751f85d5b15a9c935b3284169e67c72b9e99d04088b95c3bd46f0a2ee3140d95c459ee1ff9ac720fcc1038eec3d34025036ca0984c081761eaba9

Download Submit
C:\Users\Admin\AppData\Local\TempWFFOK.txt

Filesize
163B

MD5
136995d08bf8029fc152609efd5f78ae

SHA1
feba98078b608e7ff79f620f89318e514567dfc6

SHA256
76f998ad80d22315dd921335516d42f5f7a9c66ecfed0303519e1d4e362d10a4

SHA512
f0e2c72f7196b84d31055efda93bf74c22847a8573361da37a2378d4924615f3bb6478b29c8d8ac9a5dad2a24152fb70a30444bba9770122b68c976ac96ec66a

Download Submit
C:\Users\Admin\AppData\Local\TempWGSEC.txt

Filesize
163B

MD5
f0721638849f396c4de69bb1be55d3be

SHA1
a45e3ea0986545bf78aac3d076767a0fb81411e2

SHA256
3254accda385a03d85bf28fb4e4e0da8793d7bdce1f8f7dc13c69f31a12bea57

SHA512
60a9fd14db22949cb7832034427dd3ba5137b25b0deb9ba65968f6ae0d436f949f81a960a56c0c0719779c2c6eb3702faf4fef870577cfe193e109b3376d9faf

Download Submit
C:\Users\Admin\AppData\Local\TempWGTEC.txt

Filesize
163B

MD5
4ea912391beb90673207a48b0e374d57

SHA1
7fc710eadb15c945bca50025d866f044019f347e

SHA256
b99b3dd7e07263da6f42c976221acfe1566e93af3c990a413b5e840fbc2af5be

SHA512
3496ab7b996d99a9ea938a0a1c29bc65b118e1e60d386e2a6ee8605cef4075364c68472944a35fc6aff0b3a300c204c17348293466340aff4e948f7856525bc3

Download Submit
C:\Users\Admin\AppData\Local\TempYGOGD.txt

Filesize
163B

MD5
4b6b4213a6274deff4ca98e7bb0fd4ab

SHA1
ad0b1b25e8b71b3c14c40e8a064d72aa88e3e6a4

SHA256
b60d1d001ef0e51c969f6f40e26bed2b518e09345230e104370aecd4a1c5b7b7

SHA512
b490f77f739a0d4e8f2a3f37a68e67c133a44ce9191343044910f23f8add242c4e9e2d5f6924e501a1058c71bc04b21f9fa18cd5ce3ef734be68d4bddf90a1fc

Download Submit
C:\Users\Admin\AppData\Local\TempYVBTX.txt

Filesize
163B

MD5
8d838174ee8ed3220ee3100477da63b9

SHA1
2cc94e920b38437218cc484daf44a3a0cb3a00db

SHA256
e66207d4093fd122c4413c37f7591fcb16b877ac283757947547a7f0a1a0a398

SHA512
e6374bec6072403fe490e4770fdd106182fd3941a2689e63c7d7e2cda67125303d7b133235b8990e458b63c55deb6726bacbea8948714592183321bfc8b0eb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.txt

Filesize
520KB

MD5
edf2b2061bc3106d97bc53a10e5f5195

SHA1
09fecb5293409ed4060260f7b691a94757f0270a

SHA256
b24493d1ccc4c71efc32363b38e2df32598c58e4c2272fc0d65259d01b3bf6dc

SHA512
8e665edd72772bffdff23e655840718c8175ba88958c3c4938575befd035c3aa0dcb096d30305b2e585c06b960518d5edb62804ac4270d8fef8f9d14d8e6178b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe

Filesize
520KB

MD5
496385753539fdb5bb97382510d973d8

SHA1
709d4be42101a24ded49080cfbbbfabb3f57cf59

SHA256
71db941726db3195e7da833e30e47145c7d5829a71e810d0404ca681eddc5583

SHA512
bf2cf2e46b7ae9279b13516c2b6c05b4aa55e74f9bbc019d52409c66a0e5492f2e219caee71974074f006877b35a94748a2051c2322c46af359ee54cfff5537d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLYUCXNRWDEBKCH\service.exe

Filesize
520KB

MD5
91a12abedd69b3599396f6a73b7a2cd0

SHA1
c63bfc0564de445711e21ba0525c9ec46c15b254

SHA256
89ec5f337c4fb81115bc68b0f8f239c9a6ec64a984fad83a9d68c3501478fcd3

SHA512
af6ea44796e84f47ea8df71e489f0d2824f73b6f7a02a8d532c852d328abf657a995ec046f95b8ae1347f6a88e3ec0402dd71b9606a5336e72336db1d48514c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DVNTLCMFEGWTTBP\service.exe

Filesize
520KB

MD5
114b702c1e697be29c1d3259dd18a431

SHA1
13862ec7c087ebf0e6c4521d55a22ba54d0230d9

SHA256
fb791e312623f8a8ba937e3538b4739c4e337effdbca94561b20719c32a9ad0a

SHA512
da1c9f1ea26841c6e0230778a70ac355243b2d0f9acfa02da1cf74c31dcd3ad76c50db49581b362378a69a6f20ae7247d246db2ea4f0bbc988099be920e981b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe

Filesize
520KB

MD5
10c5fd4e9fbe80952d00214b3d39ddab

SHA1
b66a57c0cbc23c65be2efeaa8a29acbecfe36c65

SHA256
1c595be8860c0faec9fa3df9f8d2953e1408c1093abdcf9ae580cf242c9f7f43

SHA512
5cd63bf1130d433150b7bbde04c0d1d2b59b80a7a958739e1cd0fb078e16c7a46cf9d0a0d4588c5a2ae322acb5d52c362dc99b0af9f1a0eba9d1dd96a7e4fc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe

Filesize
520KB

MD5
c7b8fdc6ad193bb5b05d117c8eac03f3

SHA1
dc03881a781b41522897120ea3bc286ce3d15338

SHA256
be3f057b786b1c1da1944996cf6507b2debac12a6e5f3fde095fc4931c1fdcbc

SHA512
09212138121fbf15495eef5606ab3f10bb0649cc33df7e156c826527295e2dbef3fcd3da2c42cd9eaee1851b36846e4b2ca54ea01bf7b64afff0f4c6a9e22088

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe

Filesize
520KB

MD5
327f5ea0a409b622cb9106dbfaec882c

SHA1
225388a49d177b46bb196385bf3edcf723df4642

SHA256
9b276ac0f958c6c3c42026e0947e1d0c618b6133249d8bb49ca9fc0e7c6eaa00

SHA512
7e3ffb07b5785a3d9357a3ce4bf0f63e53c5f5a53134a395f853f25e21f6456bf6f307fe79b7351e921d46eafc73f3966bf603c4998dfca40312262536e52009

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBQAIROIDCSTQLR\service.exe

Filesize
520KB

MD5
793c9a00b522b1b02aac67afaf0930f3

SHA1
d4497f0a55b2e242dbb3dbbb1966fd847d5cdd36

SHA256
1b31e39f40add56ba0a63c1cbc3f1c573fd3561169d043c8a98be8d1409950d8

SHA512
d21f0e1f85a133ea076d5bc46b6aeecafb3cf3bd3af63b81853e2ea13291494ef0f3d613a87e7249a839e3b3b18d9d4d06c17c94811b3436d77f20eb0f3cb593

Download Submit
C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe

Filesize
520KB

MD5
627c9bc24e7bac143f4c26c08a3539ca

SHA1
932d69750d54a66c314cec8945954e850691d02a

SHA256
a86c450090125c94b85df725ac87d0143622bb01638033dce50440aa0f37ca38

SHA512
f811124d3074e0369217c01df81a0e6a60280a0c744830e1e302e5ffa7c223ca840e1f1dc519429675bc508e76858c70c0f956ec6e9129978ba9f35500f42ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe

Filesize
520KB

MD5
619883853b062211bcb7d89ed3cb959e

SHA1
7331b4b1fb5d2fac9642f4fdf5476c37016ee07d

SHA256
d0bb8b016d9a7dfe53fd6e74906c59896d0cd35eb42508c4e7705f41877b6313

SHA512
a966a6b808433005158831db6140b615d0982132792c49305e9d2895588168812fb5c8a435d0d5f564dc04d4988177cf34f6d5808b6ab4f690c1ef4722041b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe

Filesize
520KB

MD5
e7ecc709291afc7da92447b915df02b2

SHA1
41dc7625a00d11e6f1921a6174a5391a6b76599c

SHA256
1035c68478e241f0abfd6802afd965828778aba257a83a5bce77109c903c7574

SHA512
27ad1aef69e17830801f88c797dd79404f552f6d612607cdea49378cfb9ccf007e27884ed4e4f536d5a777003fc4ad00a836078f6d873614117a7ced8173c0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe

Filesize
520KB

MD5
eb4df0e7f5ba640b9323af468418b32d

SHA1
ad0ace2acca735b8ee281b857c694e03cf4c9704

SHA256
2d7b3bde2836a8e7a93ccb08feb8cc06b160ab3e9e0d43bde18059065f1b47a7

SHA512
365cb317b1e32fee32c38087f51042e5669025c9b3b7e2a7c103cf5120d52ea5d89ec16ac5d9e29f2e0368b14b03a5b9d6a3340f86268dc84892157e2e97d03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe

Filesize
520KB

MD5
b176db3487e362e06785c150cb5d0fc7

SHA1
99bfa76c46a1d489694510c4c64812600da6d016

SHA256
ee611e9242ab7cd5a33614fd9034e85c68b49764a332c60e45f453e5ddf7763c

SHA512
317d2c0e5c7acba4913a4afe1fefa2095de8be3ea5c6b4729c852e4b4fb41a17932758966f7369832c5687d93ee4b69bf35251472095844908596703780a1ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe

Filesize
520KB

MD5
537bbc432d5409b35deed701783fc74e

SHA1
5e2c9d069b3fb2c490fb61514e46ebc8d3a19fc6

SHA256
3f42662b1dcb17f81f60faf99f8efaa20c6fe9f9cc002529bc8177c014e4aec2

SHA512
6b2adf40027d77f3ebc81f7107d3bb21942ae8608031fa6ba03839e6e4fc503fffc2f090b198e677ee44e1a90b11177d12e719ae00d833d71df85847d7f1ad18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe

Filesize
520KB

MD5
da237f0e0649674bccb0b03c752a6df4

SHA1
3b0164dadf25077510a6da776468f0b954c2c831

SHA256
abe9c3e021c65cbc13fe0c740abf535470df55330f241c8bbddbd2b36cd458ae

SHA512
6c56a899de46780d980f25d5f5ced10e5ce37ea1a7243cabba416d1b3e541d949da8782ce0fdd200886924dc866059f2dfcf2613404e120feb3ce276e437bf22

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe

Filesize
520KB

MD5
ed9ae6affe6b267c047cf05f6346395f

SHA1
710e6bfe2bbfda054ded66f6d02eb9b2c0a57ea7

SHA256
220a9d280abb7b9571449ce4f663d05461f1b3866ae272254f6832ef15c1d7e7

SHA512
f54382d449d300f7472a8f1b38b86a0a37c9402d2a2973bbf727b85e7bf3e52ac4de5e51aa4ed52c09b694470d328054aaa17bd741905a4fe538f6799ab844b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe

Filesize
520KB

MD5
b4da74e16d9e8d640252f72b1adb41b0

SHA1
24531aa96ae29e69e585a9aeef04009fdd8e359c

SHA256
e106670489cd99c4741e82ac236a5302dfdfa96a30934f710213bc23cc104564

SHA512
b9c7d72ae1d7fdeee6923caf0d3bbb527fb038a2aaf2897fe0f09e16adb782d9fdf1065de64572f9d8187447154c4d62605159910ea1220b03331dfcf756e3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe

Filesize
520KB

MD5
bd7ebd98909b3383903221e2178834b8

SHA1
5e0423456950255884153bb62d653a0c4082b9e8

SHA256
e6ee480f89789667026c4d1124388336ff7e4875eda6a10f0a5ccf64236935c4

SHA512
a928b1c19f1bbebcf0d1f4a94eb3183473d445c7145fe2c03b8b18594b050c65ad88fedce94954efaa9899438416107e5a65b9d1976301c4254c75f0185d3897

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYPXMWMI\service.exe

Filesize
520KB

MD5
bcfe1786575d93447e50a244c86f2dba

SHA1
9962a385c50969b467845f708f48f533ff280f84

SHA256
b3e386754bceaf7246eadbf42ac97bbf2895899f4c30bace668c418f68e9a56e

SHA512
17b581b6c413e6858dd25f93614b00be67e5199431362394aa82d7541a09e5ad56a2d12c58f53877389768ffcc2fd7a6a137aba4718e16932799e23d2b18d48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe

Filesize
520KB

MD5
31e99e177e3c3916c643cbb51fcfc8ba

SHA1
858b0d9c987b45164cf239c1190081ee0abc56d1

SHA256
8c76efe365d21cb6c371699b56b72228416ebf7c4e646d6ee135149e9e7e16c2

SHA512
162e3016f527d771afdd7ec4f2a1fe258aea041ea1f51332518febdacb8690b942d5a8dd023dfdcc18ec19621cb7b1af8b2e347da140daf67477b25b005e7602

Download Submit
C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe

Filesize
520KB

MD5
5a107db918bfe3034004aa733c3682e8

SHA1
c7c13b911e851c8b91394dbed90fa364cad813a2

SHA256
9d067364a7a51ae5a5dc0bf22167816bf8c079236c7102a46be57f569ab69b4f

SHA512
7cd3194d88f9ce8f3113704a0a815ed30aa72f9b52e0ef8f974807f759147592e51b71f616b22374fecbd122331554d9bfe4a7cea2ac2de0a483e86294905b62

Download Submit
memory/1244-1218-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1244-1219-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1244-1224-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1244-1225-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1244-1227-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1244-1228-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1244-1229-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1244-1231-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads