blackshades | f51282cc23c20d7cf7076a27f50ba7dcb383fc2831e611daec2818e9de43cf1a

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2025, 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f51282cc23c20d7cf7076a27f50ba7dcb383fc2831e611daec2818e9de43cf1a.exe
Size

520KB
MD5

dcdc52531d6e549f5d6a1f3f190f45c1
SHA1

f0f705d973b85870cc5db25d792f238617177eb3
SHA256

f51282cc23c20d7cf7076a27f50ba7dcb383fc2831e611daec2818e9de43cf1a
SHA512

46f00d2fc934adbe5afa54f6debdc56d4149bf5f6bd4613822070827aef3469fe90d6dbcd43df724e745cd16b1e460932c049ec85550d023b07314add9c3d92f
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXQ:zW6ncoyqOp6IsTl/mXQ

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 11 IoCs

resource	yara_rule
behavioral1/memory/4424-714-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/4424-715-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/4424-720-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/4424-721-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/4424-723-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/4424-724-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/4424-725-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/4424-727-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/4424-728-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/4424-729-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/4424-731-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIHJECJFUIPK\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Checks computer location settings 2 TTPs 27 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	f51282cc23c20d7cf7076a27f50ba7dcb383fc2831e611daec2818e9de43cf1a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 28 IoCs

pid	Process
4864	service.exe
2096	service.exe
4488	service.exe
1672	service.exe
5096	service.exe
2288	service.exe
5552	service.exe
4768	service.exe
4636	service.exe
1680	service.exe
904	service.exe
3604	service.exe
3784	service.exe
448	service.exe
4548	service.exe
4816	service.exe
4888	service.exe
5320	service.exe
5972	service.exe
4208	service.exe
1356	service.exe
6052	service.exe
4880	service.exe
2304	service.exe
1308	service.exe
2128	service.exe
2820	service.exe
4424	service.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AWVNDQMKPBPRMFI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWMGELUKQHYPEOE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NROCOWCUYTPRDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMIXLSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WKWHGKXBLRYYJAA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYAHQGMDULKA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XUTXKBOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSIOFWNBMC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCNUYKIMHPDEXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LDTDLUAQLGAFVWT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLLXTRVQYNOAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIHJECJFUIPK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RYJFAQJKTWYJKHQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ANJYWMWQORCGMLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIIKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPFXVEYNDJARIHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BGYXTUHMTUFYYNW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LNDVUCWMCHQHFQO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MIDTMNWMNLTFLQC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRMPTRUFKPCOWNB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RVSGSDCGYXUVHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPOQLJQMBPWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CAEHTUPNQFTBJBV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDVMJDXNOLUGMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FERIVRPUGAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRKDJQBCPVMUJTJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IVCMVTDAYKEYFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTAQYMXNJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YMNIGJYMTCOTDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBQUGHEMFKYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TTHIDBEUHOJOKWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCULICWMNKTFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GTAKXTRBWICWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMFLSDERXOWLVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UGEIDLWAXTRAATJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HPGYQMHCBQRPXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MABWSNAWHXCHWXU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CPLYOYSQSEINBNV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GLCNOKIKANVEPUF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JBRAISOJEDSTRAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XVANDRNKPCPRMFJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UWMGELVLQIQEOFB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPFTPMRERTOHLMV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CMVDAYOSXEFCLDI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBYUSBBU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCRSQYKQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FGBACXSFMHMJURP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTXVYJNTAGDSR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YWAOESNLQDQSNGJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNHFMVLRJRFPGB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KUQLUGVAFUVTCNT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOJYWMWQORCHMLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QERCAFXWSTGLSTE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNNOJHOKNUEPU\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2820 set thread context of 4424	2820	service.exe	269

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f51282cc23c20d7cf7076a27f50ba7dcb383fc2831e611daec2818e9de43cf1a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
5300	reg.exe
1324	reg.exe
4928	reg.exe
2108	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	4424	service.exe
Token: SeCreateTokenPrivilege	4424	service.exe
Token: SeAssignPrimaryTokenPrivilege	4424	service.exe
Token: SeLockMemoryPrivilege	4424	service.exe
Token: SeIncreaseQuotaPrivilege	4424	service.exe
Token: SeMachineAccountPrivilege	4424	service.exe
Token: SeTcbPrivilege	4424	service.exe
Token: SeSecurityPrivilege	4424	service.exe
Token: SeTakeOwnershipPrivilege	4424	service.exe
Token: SeLoadDriverPrivilege	4424	service.exe
Token: SeSystemProfilePrivilege	4424	service.exe
Token: SeSystemtimePrivilege	4424	service.exe
Token: SeProfSingleProcessPrivilege	4424	service.exe
Token: SeIncBasePriorityPrivilege	4424	service.exe
Token: SeCreatePagefilePrivilege	4424	service.exe
Token: SeCreatePermanentPrivilege	4424	service.exe
Token: SeBackupPrivilege	4424	service.exe
Token: SeRestorePrivilege	4424	service.exe
Token: SeShutdownPrivilege	4424	service.exe
Token: SeDebugPrivilege	4424	service.exe
Token: SeAuditPrivilege	4424	service.exe
Token: SeSystemEnvironmentPrivilege	4424	service.exe
Token: SeChangeNotifyPrivilege	4424	service.exe
Token: SeRemoteShutdownPrivilege	4424	service.exe
Token: SeUndockPrivilege	4424	service.exe
Token: SeSyncAgentPrivilege	4424	service.exe
Token: SeEnableDelegationPrivilege	4424	service.exe
Token: SeManageVolumePrivilege	4424	service.exe
Token: SeImpersonatePrivilege	4424	service.exe
Token: SeCreateGlobalPrivilege	4424	service.exe
Token: 31	4424	service.exe
Token: 32	4424	service.exe
Token: 33	4424	service.exe
Token: 34	4424	service.exe
Token: 35	4424	service.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
740	f51282cc23c20d7cf7076a27f50ba7dcb383fc2831e611daec2818e9de43cf1a.exe
4864	service.exe
2096	service.exe
4488	service.exe
1672	service.exe
5096	service.exe
2288	service.exe
5552	service.exe
4768	service.exe
4636	service.exe
1680	service.exe
904	service.exe
3604	service.exe
3784	service.exe
448	service.exe
4548	service.exe
4816	service.exe
4888	service.exe
5320	service.exe
5972	service.exe
4208	service.exe
1356	service.exe
6052	service.exe
4880	service.exe
2304	service.exe
1308	service.exe
2128	service.exe
2820	service.exe
4424	service.exe
4424	service.exe
4424	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 5420	740	f51282cc23c20d7cf7076a27f50ba7dcb383fc2831e611daec2818e9de43cf1a.exe	92
PID 740 wrote to memory of 5420	740	f51282cc23c20d7cf7076a27f50ba7dcb383fc2831e611daec2818e9de43cf1a.exe	92
PID 740 wrote to memory of 5420	740	f51282cc23c20d7cf7076a27f50ba7dcb383fc2831e611daec2818e9de43cf1a.exe	92
PID 5420 wrote to memory of 4580	5420	cmd.exe	94
PID 5420 wrote to memory of 4580	5420	cmd.exe	94
PID 5420 wrote to memory of 4580	5420	cmd.exe	94
PID 740 wrote to memory of 4864	740	f51282cc23c20d7cf7076a27f50ba7dcb383fc2831e611daec2818e9de43cf1a.exe	97
PID 740 wrote to memory of 4864	740	f51282cc23c20d7cf7076a27f50ba7dcb383fc2831e611daec2818e9de43cf1a.exe	97
PID 740 wrote to memory of 4864	740	f51282cc23c20d7cf7076a27f50ba7dcb383fc2831e611daec2818e9de43cf1a.exe	97
PID 4864 wrote to memory of 6024	4864	service.exe	98
PID 4864 wrote to memory of 6024	4864	service.exe	98
PID 4864 wrote to memory of 6024	4864	service.exe	98
PID 6024 wrote to memory of 1184	6024	cmd.exe	100
PID 6024 wrote to memory of 1184	6024	cmd.exe	100
PID 6024 wrote to memory of 1184	6024	cmd.exe	100
PID 4864 wrote to memory of 2096	4864	service.exe	105
PID 4864 wrote to memory of 2096	4864	service.exe	105
PID 4864 wrote to memory of 2096	4864	service.exe	105
PID 2096 wrote to memory of 3236	2096	service.exe	108
PID 2096 wrote to memory of 3236	2096	service.exe	108
PID 2096 wrote to memory of 3236	2096	service.exe	108
PID 3236 wrote to memory of 5400	3236	cmd.exe	110
PID 3236 wrote to memory of 5400	3236	cmd.exe	110
PID 3236 wrote to memory of 5400	3236	cmd.exe	110
PID 2096 wrote to memory of 4488	2096	service.exe	113
PID 2096 wrote to memory of 4488	2096	service.exe	113
PID 2096 wrote to memory of 4488	2096	service.exe	113
PID 4488 wrote to memory of 5952	4488	service.exe	114
PID 4488 wrote to memory of 5952	4488	service.exe	114
PID 4488 wrote to memory of 5952	4488	service.exe	114
PID 5952 wrote to memory of 4016	5952	cmd.exe	116
PID 5952 wrote to memory of 4016	5952	cmd.exe	116
PID 5952 wrote to memory of 4016	5952	cmd.exe	116
PID 4488 wrote to memory of 1672	4488	service.exe	120
PID 4488 wrote to memory of 1672	4488	service.exe	120
PID 4488 wrote to memory of 1672	4488	service.exe	120
PID 1672 wrote to memory of 2388	1672	service.exe	121
PID 1672 wrote to memory of 2388	1672	service.exe	121
PID 1672 wrote to memory of 2388	1672	service.exe	121
PID 2388 wrote to memory of 5440	2388	cmd.exe	123
PID 2388 wrote to memory of 5440	2388	cmd.exe	123
PID 2388 wrote to memory of 5440	2388	cmd.exe	123
PID 1672 wrote to memory of 5096	1672	service.exe	126
PID 1672 wrote to memory of 5096	1672	service.exe	126
PID 1672 wrote to memory of 5096	1672	service.exe	126
PID 5096 wrote to memory of 908	5096	service.exe	129
PID 5096 wrote to memory of 908	5096	service.exe	129
PID 5096 wrote to memory of 908	5096	service.exe	129
PID 908 wrote to memory of 6036	908	cmd.exe	131
PID 908 wrote to memory of 6036	908	cmd.exe	131
PID 908 wrote to memory of 6036	908	cmd.exe	131
PID 5096 wrote to memory of 2288	5096	service.exe	134
PID 5096 wrote to memory of 2288	5096	service.exe	134
PID 5096 wrote to memory of 2288	5096	service.exe	134
PID 2288 wrote to memory of 6060	2288	service.exe	135
PID 2288 wrote to memory of 6060	2288	service.exe	135
PID 2288 wrote to memory of 6060	2288	service.exe	135
PID 6060 wrote to memory of 5472	6060	cmd.exe	137
PID 6060 wrote to memory of 5472	6060	cmd.exe	137
PID 6060 wrote to memory of 5472	6060	cmd.exe	137
PID 2288 wrote to memory of 5552	2288	service.exe	140
PID 2288 wrote to memory of 5552	2288	service.exe	140
PID 2288 wrote to memory of 5552	2288	service.exe	140
PID 5552 wrote to memory of 2168	5552	service.exe	141

C:\Users\Admin\AppData\Local\Temp\f51282cc23c20d7cf7076a27f50ba7dcb383fc2831e611daec2818e9de43cf1a.exe
"C:\Users\Admin\AppData\Local\Temp\f51282cc23c20d7cf7076a27f50ba7dcb383fc2831e611daec2818e9de43cf1a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCINBE.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5420
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RYJFAQJKTWYJKHQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ANJYWMWQORCGMLT\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4580
- C:\Users\Admin\AppData\Local\Temp\ANJYWMWQORCGMLT\service.exe
  "C:\Users\Admin\AppData\Local\Temp\ANJYWMWQORCGMLT\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNOYTA.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:6024
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERIVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRKDJQBCPVMUJTJ\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1184
- - C:\Users\Admin\AppData\Local\Temp\YRKDJQBCPVMUJTJ\service.exe
    "C:\Users\Admin\AppData\Local\Temp\YRKDJQBCPVMUJTJ\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRSXEF.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3236
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IVCMVTDAYKEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5400
  - - C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe
      "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRCBFX.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5952
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GLCNOKIKANVEPUF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:4016
    - - C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJTOCN.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AWVNDQMKPBPRMFI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWMGELUKQHYPEOE\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5440
      - C:\Users\Admin\AppData\Local\Temp\TWMGELUKQHYPEOE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TWMGELUKQHYPEOE\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVANDRNKPCPRMFJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UWMGELVLQIQEOFB\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\UWMGELVLQIQEOFB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UWMGELVLQIQEOFB\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMHVUG.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:6060
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIIKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempREBQY.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CPFTPMRERTOHLMV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYDVUR.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YMNIGJYMTCOTDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJIVCT.bat" "
        11⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BGYXTUHMTUFYYNW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHFQO\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHFQO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHFQO\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKXFOF.bat" "
        12⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBYUSBBU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKQ\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKQ\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAEHST.bat" "
        13⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIDTMNWMNLTFLQC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBVUJ.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NROCOWCUYTPRDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQUPXM.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTHIDBEUHOJOKWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTOWKL.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGBACXSFMHMJURP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGANW.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RVSGSDCGYXUVHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLUQDA.bat" "
        18⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWAOESNLQDQSNGJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMPQVC.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAKXTRBWICWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWENEY.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGEIDLWAXTRAATJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJP\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJP\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCDRNM.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WKWHGKXBLRYYJAA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEPVMK.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABWSNAWHXCHWXU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CPLYOYSQSEINBNV\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\CPLYOYSQSEINBNV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CPLYOYSQSEINBNV\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKBOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEXNJR.bat" "
        24⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCNUYKIMHPDEXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LDTDLUAQLGAFVWT\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\LDTDLUAQLGAFVWT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LDTDLUAQLGAFVWT\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKWIGK.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHTUPNQFTBJBV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYKIMH.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KUQLUGVAFUVTCNT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXXMVI.bat" "
        27⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QERCAFXWSTGLSTE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:5668
        
        C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSSGP.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLXTRVQYNOAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        31⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe:*:Enabled:Windows Messanger" /f
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe:*:Enabled:Windows Messanger" /f
        31⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        31⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        31⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ANJYWMWQORCGMLT\service.exe
1⤵
PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\YRKDJQBCPVMUJTJ\service.exe
1⤵
PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe
1⤵
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe
1⤵
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TWMGELUKQHYPEOE\service.exe
1⤵
PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\UWMGELVLQIQEOFB\service.exe
1⤵
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe
1⤵
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe
1⤵
PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe
1⤵
PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHFQO\service.exe
1⤵
PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKQ\service.exe
1⤵
PID:5724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe
1⤵
PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe
1⤵
PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe
1⤵
PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe
1⤵
PID:4152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe
1⤵
PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe
1⤵
PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe
1⤵
PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJP\service.exe
1⤵
PID:2724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe
1⤵
PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\CPLYOYSQSEINBNV\service.exe
1⤵
PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe
1⤵
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\LDTDLUAQLGAFVWT\service.exe
1⤵
PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe
1⤵
PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe
1⤵
PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe
1⤵
PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe
1⤵
PID:5400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAEHST.txt

Filesize
163B

MD5
f4727263e6e04279af4cda8b8cc34e46

SHA1
459df7b020a0a0aed601586be0e43f6db944486e

SHA256
fed095a13c6e131732d81674252f5794d88d13c41398e8bef55a3a7a453d1d3c

SHA512
86612904a2977fcd6aca219aba851c7ecf0e2553162f8cdff11ab271548b18d33b736cb7df526b487d64d9b2d789910153895180ed782c856c516b0be82c2ef4

Download Submit
C:\Users\Admin\AppData\Local\TempCDRNM.txt

Filesize
163B

MD5
f65878270079d01fb9ebed58f396f26d

SHA1
6fe81b0c482720dd4e127fe21fe9d31b88fd27b1

SHA256
93292cc42853c977c5393dbf14d093900124c2585af73c924cec14ea434e86e1

SHA512
dd9cc086ca0faa595babdcdb4cdab2f6c73ea40ef791885ece48e3c8f4007f8527d31d3ea34ff028a3d5d80872581f3fc57dd6cebb02cb749fa083196b733812

Download Submit
C:\Users\Admin\AppData\Local\TempCINBE.txt

Filesize
163B

MD5
ebb9f8994485a4023df4a3b44316aa75

SHA1
3d6cad7197b41c8a23832da71b33680782f54917

SHA256
fd6da4f9c64c7c78c8e74ee20be4098832dd406945f339e5d6865bc506c0a693

SHA512
2f729992a56213054a58ed106ce66d557635018e875cd58751bccc029fcd9052e1255ad91f1cfdd0cc9c3801da5391a66e1cd2dbe5a76b7d56d8aabe1ea558b5

Download Submit
C:\Users\Admin\AppData\Local\TempDGHQM.txt

Filesize
163B

MD5
805a0854b6bdae48c71ee7464113dc78

SHA1
e875d5d0a2665556c4528d2194e4e721069cd0b6

SHA256
352b1d6863171eea99aabdc71997a75c797d2c196682d593e1607aeb9a3ba959

SHA512
a18211060ec6b9aed9e9595cf1eaf730b6d840680b29fd2059bd731660e4d59f3af274c4d1420b975f4cd44fb750089fda5eb7b44c75e73c36fbe1764b2a2d2e

Download Submit
C:\Users\Admin\AppData\Local\TempEPVMK.txt

Filesize
163B

MD5
ae8f202d4ed2fc59ac1768676e99fa51

SHA1
b1b8df096565f00058f00fcca54eb39ffe6aff35

SHA256
5c6ee0ba63d1015f3ca9bcac2d85aeff2406db14fcef7f44dd51e2a0182d3db2

SHA512
af4278dcf7b56a1ca2f87e420bfc8364441453edb9c0df7f541a90833f86e8f0dac1a53ed93fcf81fd5e5b21ae69acfd5244a01b6895ce900b29a93fb8d4cf4c

Download Submit
C:\Users\Admin\AppData\Local\TempEXNJR.txt

Filesize
163B

MD5
8d1283bcd15a0ef53eeadc7d227c7312

SHA1
6b3e857ce23277dfbb366f5f3bd4899dd495bbff

SHA256
a1427421a05a1ce87d9a32b0141d7ca0080c355acf5401d1d19ac1cfe55a402c

SHA512
fb952d36114c7da520fbc1e0fb40833d25f6df6287b318ded6d50c400f297e11760f2a9b28f9d79c9fbb0c737c12f7724aba5604e0464bfe852ec393dd1fe812

Download Submit
C:\Users\Admin\AppData\Local\TempJIVCT.txt

Filesize
163B

MD5
d1cb87f0b71cd4c336379739bf8c8a3d

SHA1
42e1473360f09e034fa33ef39fabb8661662725d

SHA256
823ab6b2aeb4f1894cb582215859e958e6500c4365bbd3071cc5975ef3832d48

SHA512
5c5505d01270e636f1548d33d9952a9c928119852a42a907cd46e87545b77fa90d66a3d0b3e404e7e1a65cf35008d66b519ce45c4c25d689a601a97617df9c0f

Download Submit
C:\Users\Admin\AppData\Local\TempJTOCN.txt

Filesize
163B

MD5
c4b45b1e2af2cea76afc4b405695c381

SHA1
673a58efa8f72f93e593f2531c2fc97658554c73

SHA256
8b22359b4624b5e92a3e62c6627a1cffa13ce500643f420664aee2f42e8c81f9

SHA512
3cefb1aabbcc4514f3a818fbbcbd74c22d01a438ef63fc226d073f9ec5e2002f39f7e2b9e0431e709d495e3b4b516d880aaf85e1dab796b4322d52348a9b3649

Download Submit
C:\Users\Admin\AppData\Local\TempKTPCO.txt

Filesize
163B

MD5
a562ba50ac89ceabb531ef21fddcab00

SHA1
f0c75eb1085b6816d77e4b151e18cf6e395c213a

SHA256
38b2253fec95804b3b5f3fb791a74900820f6d905d352e3d9c1e545028e30094

SHA512
ca2f2155e8f80f7ed7e5e4018952104433f0c328eb78f89af1b2535a6c4126efc043d5b676d34f276b2987687fcf14a8fdccd987f96184ac320a47dc327ad61b

Download Submit
C:\Users\Admin\AppData\Local\TempKWIGK.txt

Filesize
163B

MD5
b8a279a2f89010e55bbddef3803da98e

SHA1
6d9940aea9bc97a8f40f459f135fcda691a2e591

SHA256
1d7fa0fb3e66d4e53c7955a5685365c68a635dd347132e05a48fe966986b8d0e

SHA512
16373f3792dd2033911b28e6ba1c965e4ea36be9a178761ef25940788214dc68d1ae82a4c582d2fb6ca9bed0eb92c01757047af82af7e90f9061e30262e3a32d

Download Submit
C:\Users\Admin\AppData\Local\TempKXFOF.bat

Filesize
163B

MD5
66dd5cd4e525be1896c38a1aa6d18d8f

SHA1
4239a9d221ab14e1444d94a9abb544027a5ada40

SHA256
660063f2a66177ce71e8722e8c353d4e91e9ed51d0e4d256abb8fe07d30e79fb

SHA512
719261228cddd722b55b7e8f27eac9a65943952d4251b2016f992f252df2eb835d83f63ab651171df84e266f7bf3247e7d05ea172b1a5077800ea68896130b23

Download Submit
C:\Users\Admin\AppData\Local\TempLUQDA.txt

Filesize
163B

MD5
0887f8a053b6634da227e398c394d81b

SHA1
7e302400941306dbb1fb3a489a23add27b1209d8

SHA256
2f72e4b614fd3ffa97fd87de3f00824cd240546d92b4b5516b558b17097a491c

SHA512
e5fd8516383823287089e860205c0da879e62c25160cfd7dc752c0e265fc60847c03aa72c49d2bd0ad1b71b9b3cedbc0be03a6b81d27410251356f5b4f801eb8

Download Submit
C:\Users\Admin\AppData\Local\TempMHVUG.txt

Filesize
163B

MD5
baf076017ce9a15274838dfc3ccb3df0

SHA1
e869ee6bdfdea84ad825d4e2a18a1fa071dbaf36

SHA256
7acf9bc5aca7e4de92000e2f3c85f91bd70fad70bf45c7d77a7c875d6e360676

SHA512
2abdad597b2651ec4959cdfda9f886f9af1f17b892d819560d398d7a02836fbe1e162339fe71b2f0dbc62aed2e43f6d65548374c50c03487cd27e297de89b095

Download Submit
C:\Users\Admin\AppData\Local\TempMPQVC.txt

Filesize
163B

MD5
e1db282d3e4d4223082eb6593e165a2a

SHA1
d6d79b084a1b06c940932ec39b10834918363af7

SHA256
8a415e2906e36d4e25177fc359d9e8464b29a65bf3bae4427eec85c7114f253a

SHA512
cb2512ff0101738482b800d75c80a8babcad2b0c872712832fbd23e6ad1cdb908fcf22cfae2a94d78b7d2949a011e12439e09e9107781753ffb727429f818762

Download Submit
C:\Users\Admin\AppData\Local\TempNOYTA.txt

Filesize
163B

MD5
06a9ccd81787e5d1b13e6e9dabf0823a

SHA1
cd52a3d78d45bb443fee930745d65478bcf9b87f

SHA256
8b850a40e4733ef09c6d57dcf51b0686b8a6939e4ab0459ff42797990c021d83

SHA512
7db4d82595b2825722a7ce64ca6df327203c6d4f7ae34589fd0671651a56123b5d258701d9b2da949e10f69c08c4dd3b5a1f6acf2512024e780a28e33d1ff755

Download Submit
C:\Users\Admin\AppData\Local\TempQBVUJ.txt

Filesize
163B

MD5
399144d0d3a6d0f86c20c98472449bb8

SHA1
db3f75b699d804bd4da6af8f3d36be54b68090cd

SHA256
586be19c1067fe244d6b4a0a80ac96cdf8625cfb4dc92effca04e6c920c730ad

SHA512
014daa8cc281dc6d655c2e51c498876ae541817fbbb5c6136f3ff6ef3407e2718a9e43d9624dc82a3a2f9eb1126fc7a6a2f155e6639c5914aac9e2d1b9302532

Download Submit
C:\Users\Admin\AppData\Local\TempQUPXM.txt

Filesize
163B

MD5
b2a8e92950ecdabdfcb5959d8c7f1df2

SHA1
3af4f4e2f9886fbb2b6dc671825b448a24efd32f

SHA256
64e265e738ea9f84560e4ca5a7c9284c63ad277f2f8b6328d82bfaa9bcec8bdd

SHA512
d6bd9aedd050a29d5db7f4336f667d2e897009c19ebd3880731acfa5fafd5d2c97dce2e27fc9d3726de8c6d27853d5f8b0a1b0e8b8067e77eaaa3e758ed68570

Download Submit
C:\Users\Admin\AppData\Local\TempRCBFX.txt

Filesize
163B

MD5
036545b1a752b7aec60e394980364c55

SHA1
e9635c6d2785cfbb2fe7c52fe45264f26bce2103

SHA256
9b3bbba43c213d4843e2ef8fc329a73aec58298517213edc6968339a2dd19909

SHA512
2723eac0c68301a04ff23b8ff2c0fd7a2e149562aa8282f2420f8ddee90eb37223d84b1aa4be901f153fd291aaa59b42ac1a4ce097350f766953b2f69a9eec2c

Download Submit
C:\Users\Admin\AppData\Local\TempREBQY.txt

Filesize
163B

MD5
81ea95b9fcd7ed642b213e918d1e1137

SHA1
e17788d9390b05f641705457dcdada7a2a4a5bd5

SHA256
105dc84821d9fc76f854b8910245f3eb3c9787ab1d2ea8c28f1f5820d72f15b1

SHA512
f1461370f040131fea092cae429dd621c16c6d854b64ddfc61a42b1f9dca4ca3a7e507795f3fe6e2baca76cce3891251228da03d4a05882c979a4b1add993b7b

Download Submit
C:\Users\Admin\AppData\Local\TempRSXEF.txt

Filesize
163B

MD5
0f5809153f0d1b90349ad1b3e4e8cc1a

SHA1
2b5420959565b66d64a801945d7e710588945f90

SHA256
7064475b46d1427dd39ddab5100764e987cda099a0147ddff398ad2ed74587b0

SHA512
a00f669572145de170aa6403addbe9cb596df2464f6ccbf6d0b11fcf77eb3f650e8ddffc31b1e55834c6ff396019e54ddcdfdbae72bee98f080500f522d1e314

Download Submit
C:\Users\Admin\AppData\Local\TempTOWKL.txt

Filesize
163B

MD5
e1be8ec9371d749becf33b62dd90db6e

SHA1
237bf2a28738eb7d004e007d4e7377c077c0b556

SHA256
8ad71c6ec33a33d01bbba5f67a66e6befa5c77b645f09798731be26824454fda

SHA512
8b60385dd19529f574f8768f33f9eb45554e1829d8bad98a3f605d0eeee185c25aac74d359a76d34b75434826715e33930cba21a27e440a1dff8e40b3ce76751

Download Submit
C:\Users\Admin\AppData\Local\TempUGANW.txt

Filesize
163B

MD5
fe5d4ee7b49b20431a910d565c5f9b9c

SHA1
d73a6dd3a7d59b7fef87d81cb2f048dbf92535f3

SHA256
52e8d88a6ffda3384fbfe8cd9e9b3a5a93548d14473452b6fe88443ea3c04736

SHA512
f41eb2dbbd558429f606bc59d02f205933bf54f5a2453d880dd1a12819fc91f55c47bea6bcdf81dccee60f5cf79294bfc82b8b58a727e8006b7e75737a4ae99a

Download Submit
C:\Users\Admin\AppData\Local\TempWENEY.txt

Filesize
163B

MD5
51cc6c9ae94b77dea588debe951029f6

SHA1
47a9c665f01a983debd4fa1f35f1ebdda0e41d11

SHA256
0c93b703978d9b5fabc4490ccdb2ce4b0d492a3c4297bb0a590531e9fe9c1daf

SHA512
4d41bb31c1914d26faeff6b2dffa34b860b571ab712890de0262c75c832d9e68ac888b5a68a1de98930a5491a3427690d8fd9ca9217e6ab7924ecd69d44440a1

Download Submit
C:\Users\Admin\AppData\Local\TempWSSGP.txt

Filesize
163B

MD5
1a5ffb40bb1b61b3f2de211f85cb4452

SHA1
29109dfbde3136692272d25d2d366334885c34ef

SHA256
829b3c15ff9c57dc1ceaa8a4270a42885c7cb995198164721e5470fb4bada793

SHA512
01351190368e3c557103977be10a37f2dad788178af57888e50a98d2e0ca69f8b7a4a1b28df5143d149a745d0292cd4eea9c20e3d9b0003a44398f84442248ce

Download Submit
C:\Users\Admin\AppData\Local\TempXXMVI.txt

Filesize
163B

MD5
a9624702f92652a8857b5b1fda35b468

SHA1
dba8956c33ab63c2544c86fcada1e576d798b110

SHA256
0a307fa8706bd033fb4b08413e371b0c4a33948c34abc6dd343d0646b87b52dd

SHA512
9bf6ed6a64f1c8d621fa1e7eddfc8b8d3a14190bfa9d765365fc290635862cb575f0a956460b2161bbec874c511c68c9f108ef90b7794db11b0be38520aba216

Download Submit
C:\Users\Admin\AppData\Local\TempYDVUR.txt

Filesize
163B

MD5
ccd6aaab77c5aa7e63e059e5fa207e8a

SHA1
b466bf1c083d20abfebd85375297fbaeddb5c6f3

SHA256
35537de5a2f5d3c7a510ac512675b4c14f45b88c25323cb7313324e61f9cfe37

SHA512
77029e1f3671a45213f691503741caa4f7b32402c8d42092325728203af58498a3d9f786be41b0a0a202035b030713ad94d65f24a8deed879336f40fc5f7d9d8

Download Submit
C:\Users\Admin\AppData\Local\TempYKIMH.txt

Filesize
163B

MD5
ffc855aff102d74ae673fe8eac8c2e70

SHA1
d68a015334a2510a13d74d7d7391d88fccc0a141

SHA256
eb798d686427248292fb0d88fdd4d552666ff67f5e040f078cca0cd33485cbf0

SHA512
1f257e4af2b78838845681020a1f8e91cdac1889f4b87fcd68b8cceeb115873ded4d32bdb6db3eefb94c8f8422be3f45d018db558bb003cb09815c35f0aa8d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANJYWMWQORCGMLT\service.txt

Filesize
520KB

MD5
68ddb104279cf56ceea8d0fb463aa7d5

SHA1
53296974ba8cdd4faecccfe13d8fc8fa010160eb

SHA256
a627973b284828c2e272880b9fec53e6b1296c5e68154ca8fdbe181a53c750f8

SHA512
a459dd4b9e8eaac01a2a8d54bfd4d5083d2bcca8e76bb25cdc44301c894f9b4abd69b4216766fbc833e7b68e260e4884f8c4528a5910b26dcc0565dae169def5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe

Filesize
520KB

MD5
173d426960ddafec79de8e5404490c4e

SHA1
7293dba93dacce05a5403b9681366d8fed711dfb

SHA256
1942ffcac174e7ed8a3373c24186fa11266a63301865799e92d453035e39a78b

SHA512
08fa5cff44a5561f521a3e44b42f152a1b0a480bdd320cc536667c62eefea956a6db12ad3acd93b0f7c7fc54790182e62a1da6c5628d179190537d35c625cb0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe

Filesize
520KB

MD5
2edb41b2500fb1601128d233f9a18e25

SHA1
7f5d3b65fc93d7c95f7e9df1cbcb1ab8e7ff502d

SHA256
4393bf2c6e145eb491ef601085260315c1146bc2044379922c9911ff6d07beec

SHA512
85db18084e3fcbaa66291a308b8571b0cae3d9b001e9984164058450a732bb5215f8ac744b18ba4c30908eff10e109d3eb278f1bde4f460ed4924ec5bc790941

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPLYOYSQSEINBNV\service.exe

Filesize
520KB

MD5
e92c56357175bee5e50eda10551f2ff7

SHA1
d210f32e631b7e9674fc887b09b4a64220bdfd02

SHA256
aeecb7356d6dacad9b9886ecc89cb9d073e1bfffbee02ce7458b6ee0fe11e0a0

SHA512
2c432e53fb5628d7499dc3d23030c23dad0e61876d0dddaa18e8de69a938e54488b99afb4ed11076382d93f46e28f82be769b00f393b6a8b6f84f67fa7b2cba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe

Filesize
520KB

MD5
cd9c31ac87dc5aa7214dc83013d96e9f

SHA1
75267950353a20337ba6908a2e0101ae00f9e37f

SHA256
1df246b9b488efcd8a5ee5d5c22225b4adaf2269adc6067e1338bc4fe5879275

SHA512
cd756adf8cf6f57944c550ef515b20392819c6bfb02c4a90a8a0ca94219e1932458a0dce6bd381dec4b6252a52a03c591673abd16e63054673d953c504c8bb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe

Filesize
520KB

MD5
3c5d2843f11f799b36ec98c2ca47eec9

SHA1
bd8aea14d730d7d069234bd42c6c5d91a3ed9ed5

SHA256
28bfc43e74e95ebbd53dd520b3bcc41f6106117080602a999f88ff88b0fc3fe3

SHA512
df921fc8bcbc7f2779d368a141b0278d1086c209bbd90104622ceb644856750bbb3d3225d372ec82392bd74910e1b2f704497affdb337819683874520c040621

Download Submit
C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJP\service.exe

Filesize
520KB

MD5
88a00dbe06601b46c873891cf9a95e82

SHA1
3de4ff1ec1e43c9ed204d6e43285a096f0336bec

SHA256
1098825690504614b8c7b1567a23d455f07ed994648df0583a3b5a5b9d171db6

SHA512
fce11adeaf9e4ff21d4768ee63bd810884aef7161a2ffdff7aff328c91a3c1663a3662adc50e427ccbe4e40c366e99a2a23692abaaa4c596af162e4ae26880e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe

Filesize
520KB

MD5
721e103d371042f91f19bcf7ddabc735

SHA1
43608b463c4107470192463f422c451befab360f

SHA256
6342640c93b16e19d6b977353f110a38d294caa8fd454972b3860de964ca2146

SHA512
749cd4a521ad355e6731ad66be45949738424d8c116eb4507faf4f84e6f86b61f0770275a2191bbdeeef097c89bba6e9bbe7afbb5157a2a3ec2452061133be8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKQ\service.exe

Filesize
520KB

MD5
aa9683659f0b3fa781d693a31e73be7a

SHA1
80381f0364bec9b0b449efe8d0104c37be5a8403

SHA256
fbdd99fab75937913fc59104dae089a08528866f20312873d967aaaef214f269

SHA512
0543a9c6721515da29024021f8beee5979270862dc3a9a2920b495d2e51e13b167aa34477269071d2e2883bcf5624067e59bb22524cf606306066200571613a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe

Filesize
520KB

MD5
d578c4b382901a8c7485eadac3045c7a

SHA1
fefa923a4e029c6c83480f3cbc4e0172441be9a0

SHA256
3997aecf4f38855ad7dcb8578a211aa9583118aec941be1ccac4c3b7162cdfea

SHA512
ace5125d7a4e1844f71f05fb2d79a89a262c176938ae0cfc37faa3d038a524d3c133c27ca9f431e39e670d5df58ceeeb73ade946011735486025554fae7b805e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHFQO\service.exe

Filesize
520KB

MD5
b2a21865e06196ee05c8aff95e83a7fe

SHA1
284a533ed18fd065f944002bfc41e0918290b9fc

SHA256
952c9138476e9b426d9dc3e46cf23018d4a8d09a812f0f7dfa1793d9f37b4c55

SHA512
b5a08268c7b7dda96f761acf7b6ecade464139a9f1574ae487a58a80130de7e249539a8263e9769da81a04cd1eb66dade746b41bf6ab730072eedd6cc5f1b0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe

Filesize
520KB

MD5
687c0b53ab48154cb18b67892e45f419

SHA1
ebb211ea48ea904030bd86f85ea79bf4117e9222

SHA256
fad2d5b881b5dba1ecab3d65d6216f6819e1c4322af5f23504a0c39ff82ac665

SHA512
36ad91c1550d8a2c4b19957cd67515f9f348cd8b0708f9118af5d7fdd0c457044ba297e18926b0cc04e5c2def9452d68d327a567a0fae0c7b8219b55280ec90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe

Filesize
520KB

MD5
0689a28add42b3eb5fd87632adc6dd8d

SHA1
83affc17272dacc373f21b2927c1e4413414b7ec

SHA256
967ad755f8b7a9f70a8808ff522c2493d562321861d078b9a0d8c693dbc1c278

SHA512
7b66742e596b0c93c0631942eba3826d32f18b1767a0b7f6e2b0b241742ca969bdb343d965b05f8cfd62256b1eb46052ae06212c85ce5d515e0b3e3abd3ab0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe

Filesize
520KB

MD5
b5cae9431c5b3918603eeb3d32ec4b25

SHA1
7c37d52577b1447fb04c7e9cd65b39937238280e

SHA256
81752d2476813e533a6d962852cefd0ddb49c4d9dd0008065c75efcb1e0789ef

SHA512
19ea958abfc9c44152ae86e50f1de256e273a3ed532ccd40bb53e62d844580474dd275cb3817e41a43cd8543571e8524a62bb5c800646c54cc76c9e086f5aae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWMGELUKQHYPEOE\service.exe

Filesize
520KB

MD5
875c360757b0f6b84c3f85b38113aceb

SHA1
ff3913b529a9dde12a920cf88c6430b47bd53e85

SHA256
826947df5080c55482127cced78993604d7ba0f9cb1a33d641f1d7eac9eaa9e0

SHA512
bad932a68343b9753ed48583df5ba2405d5578d9aab65f5bf180e50a3a536b8ef59dee2a53e8b460faf8fd026e677aac6f29ca775e1c26ea9d3574e616ac345f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe

Filesize
520KB

MD5
3af43c27df7e8942209c3b0f298bd878

SHA1
a1df52cc664756948107a0ae43c7f5b7fdc9c7da

SHA256
9ad5b984d540d47a38741d7a753632e93afbdcc34b8543314db8744f7151c8e6

SHA512
29d009d55961fbad646a7a460135c9e9e4e6fa98a1dd54c91541dc4cb3eaa013a646076d9d8ba59fc43f3c4979bb11abbb06b4d33a9f6f59d30989abf3cc2698

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe

Filesize
520KB

MD5
eee9794bf7d2a3c74b4b9e781aaf3092

SHA1
c52b5e8a02720a85e2cf9952bb08c2bc0db0e8f5

SHA256
2c3868798006d8708d3d2629891159d9fdd9ebdc77f8bf89810d927eec689cdb

SHA512
cd4303f58b350f3439ed223029b5f2098760a5aee68ff2721d0dfc12372ed4fbc553688f8ad7e7b8f873ca0371dc2c9bb1ebab601567f63d6f1dc1c3534cdab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWMGELVLQIQEOFB\service.exe

Filesize
520KB

MD5
a153025356c59616170ebc246b22ddb6

SHA1
46cf74489e6627b00c72ec1236565ec78cef8df5

SHA256
10bf494d1d44147b212fd3f601b7489416313f1910b1055dd8f4b1777c7fca21

SHA512
f37a96cd6644b7fd893b640b15a3a0960f92e118647e4ab1d3301c634b71fa3bd0f135328e2f70e51238e2e235c89169ffcd6c8ffa52aa55f63e63238626d31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe

Filesize
520KB

MD5
ccac2cae890dfb4887a6906bc142b4ad

SHA1
6fa17ddc316bdb3d5e8ff580bb9f1c20da06e8c1

SHA256
ad365d74c4ad4c532269d64f7617b782c2ab0f63936dcad13feba9e71d00f784

SHA512
b85fcb7261985e6c86bd4a16f6854f4ca11f5600393d9675a80039eeac2dfeb1b9e31f8ad651ba3554325a10e6dcb2cf6f5169ccbb263829f1edb5afc118feff

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe

Filesize
520KB

MD5
5ddb95cfa155795125388c4e42ac63f0

SHA1
6c84cc5eff25b3595d43861e2f5b6f3ce21ab2a4

SHA256
fada1e9af5a6a58238dc9bad93dd5abea285a03ac1afc240271d89da8e07e97d

SHA512
41bdb70675836299ff4c927b2edb14a6e47fba502eebd4d41f0a84162b90b0fdd5f3eaf411ef78bd8be715664ebbaadb2019e273f4027cf7e6310853b6f540ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\YRKDJQBCPVMUJTJ\service.exe

Filesize
520KB

MD5
538d2310a8de6dc1e21c6a7383b32d05

SHA1
9c5226039f90cdeec7e55f6846a871e2176e9f74

SHA256
7be5c758e7e384f11b9f59d3f1abb12499637e8c9c9e779e4d6b42766308a84a

SHA512
924b3b4f1618e30e14b8ea7b625fbefe33cbc773e5629da98fdd4bf3db6412c7f14928fa77b7087e7cc0426bb00df5d48710964422c79eb41ae3dd72ffffff2a

Download Submit
memory/4424-714-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4424-715-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4424-720-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4424-721-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4424-723-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4424-724-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4424-725-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4424-727-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4424-728-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4424-729-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4424-731-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads