Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2025, 00:09

General

  • Target

    5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe

  • Size

    520KB

  • MD5

    a063fa8d55ef10a00c8ee2b8d3fdafa7

  • SHA1

    1cccaf0554849a13c6e527e2da90c1d5b7f82282

  • SHA256

    5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646

  • SHA512

    b5d3cf50f4cebc7930d808d1fcb97a34059d42c2a5e20d5aa9cb24dac5ca5d60c75e83018b313773be156eeb56ecae7aaca3a83333cda0f49d1702602921f60b

  • SSDEEP

    12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXZ:zW6ncoyqOp6IsTl/mXZ

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 8 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Executes dropped EXE 44 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 43 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 47 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe
    "C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempNVJKK.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FABWREMGLYITQOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe" /f
        3⤵
        • Adds Run key to start application
        PID:1752
    • C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe
      "C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\TempQUPXM.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2288
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTGIDBETHOJOKWS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2884
      • C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe
        "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2188
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\TempHPGAK.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1676
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KFDUSIIKFBDMIWV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe" /f
            5⤵
            • Adds Run key to start application
            PID:2152
        • C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe
          "C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1740
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\TempWSFCR.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1724
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCQGTPNSFSUPILM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe" /f
              6⤵
              • Adds Run key to start application
              PID:2432
          • C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe
            "C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2436
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\TempFAWPU.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:808
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWXAKQXXIACQMLY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe" /f
                7⤵
                • Adds Run key to start application
                PID:1488
            • C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe
              "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2584
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\TempXWSTT.bat" "
                7⤵
                  PID:1872
                  • C:\Windows\SysWOW64\reg.exe
                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKIKAOVEQUFRCBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe" /f
                    8⤵
                    • Adds Run key to start application
                    PID:1420
                • C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe
                  "C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:2704
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRC.bat" "
                    8⤵
                      PID:324
                      • C:\Windows\SysWOW64\reg.exe
                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDVMJDTNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe" /f
                        9⤵
                        • Adds Run key to start application
                        • System Location Discovery: System Language Discovery
                        PID:1308
                    • C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe
                      "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe"
                      8⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:860
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c ""C:\Users\Admin\AppData\Local\TempVHIFO.bat" "
                        9⤵
                          PID:2376
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFPYWGDNHIYRU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe" /f
                            10⤵
                            • Adds Run key to start application
                            PID:2528
                        • C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe
                          "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe"
                          9⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of SetWindowsHookEx
                          PID:1892
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
                            10⤵
                              PID:1672
                              • C:\Windows\SysWOW64\reg.exe
                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQSNLNDRYHSXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBULLJRDKO\service.exe" /f
                                11⤵
                                • Adds Run key to start application
                                • System Location Discovery: System Language Discovery
                                PID:2196
                            • C:\Users\Admin\AppData\Local\Temp\BJASKGBULLJRDKO\service.exe
                              "C:\Users\Admin\AppData\Local\Temp\BJASKGBULLJRDKO\service.exe"
                              10⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of SetWindowsHookEx
                              PID:2112
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c ""C:\Users\Admin\AppData\Local\TempMYUAS.bat" "
                                11⤵
                                  PID:3020
                                  • C:\Windows\SysWOW64\reg.exe
                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CHVVIKFDGVJQLPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MOEWUDXMDIARIGR\service.exe" /f
                                    12⤵
                                    • Adds Run key to start application
                                    PID:2264
                                • C:\Users\Admin\AppData\Local\Temp\MOEWUDXMDIARIGR\service.exe
                                  "C:\Users\Admin\AppData\Local\Temp\MOEWUDXMDIARIGR\service.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of SetWindowsHookEx
                                  PID:2976
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "
                                    12⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2868
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XXKMHFHXLSBNRCO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe" /f
                                      13⤵
                                      • Adds Run key to start application
                                      PID:2668
                                  • C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe
                                    "C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:2228
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /c ""C:\Users\Admin\AppData\Local\TempSTYEF.bat" "
                                      13⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1536
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWTEAYLEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe" /f
                                        14⤵
                                        • Adds Run key to start application
                                        PID:1708
                                    • C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe
                                      "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe"
                                      13⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of SetWindowsHookEx
                                      PID:1724
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c ""C:\Users\Admin\AppData\Local\TempVRQFO.bat" "
                                        14⤵
                                          PID:2024
                                          • C:\Windows\SysWOW64\reg.exe
                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INKKVSQUPXLMFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe" /f
                                            15⤵
                                            • Adds Run key to start application
                                            PID:1880
                                        • C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe
                                          "C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe"
                                          14⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Suspicious use of SetWindowsHookEx
                                          PID:1712
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /c ""C:\Users\Admin\AppData\Local\TempJSOWN.bat" "
                                            15⤵
                                              PID:3036
                                              • C:\Windows\SysWOW64\reg.exe
                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYHHSPNRMUIJCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe" /f
                                                16⤵
                                                • Adds Run key to start application
                                                PID:2928
                                            • C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe
                                              "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe"
                                              15⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Suspicious use of SetWindowsHookEx
                                              PID:2684
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c ""C:\Users\Admin\AppData\Local\TempBOWCU.bat" "
                                                16⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:976
                                                • C:\Windows\SysWOW64\reg.exe
                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIXWKLHFHXKSBMR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCSBJSPKEETURAA\service.exe" /f
                                                  17⤵
                                                  • Adds Run key to start application
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1456
                                              • C:\Users\Admin\AppData\Local\Temp\JCSBJSPKEETURAA\service.exe
                                                "C:\Users\Admin\AppData\Local\Temp\JCSBJSPKEETURAA\service.exe"
                                                16⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Suspicious use of SetWindowsHookEx
                                                PID:1308
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
                                                  17⤵
                                                    PID:1428
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IMJJURPTOWKMELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe" /f
                                                      18⤵
                                                      • Adds Run key to start application
                                                      PID:2816
                                                  • C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe"
                                                    17⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:2532
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd /c ""C:\Users\Admin\AppData\Local\TempQBVUJ.bat" "
                                                      18⤵
                                                        PID:2344
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NROCOWCUYTPRDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe" /f
                                                          19⤵
                                                          • Adds Run key to start application
                                                          PID:1012
                                                      • C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe"
                                                        18⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:1496
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          cmd /c ""C:\Users\Admin\AppData\Local\TempWBTYT.bat" "
                                                          19⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2096
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WWKLGEHXKRAMRBN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe" /f
                                                            20⤵
                                                            • Adds Run key to start application
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1376
                                                        • C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe"
                                                          19⤵
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:1936
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            cmd /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
                                                            20⤵
                                                              PID:2892
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBTKHCRLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe" /f
                                                                21⤵
                                                                • Adds Run key to start application
                                                                PID:2336
                                                            • C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe"
                                                              20⤵
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2640
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                cmd /c ""C:\Users\Admin\AppData\Local\TempMUHNS.bat" "
                                                                21⤵
                                                                  PID:2200
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEVNJEUOOYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe" /f
                                                                    22⤵
                                                                    • Adds Run key to start application
                                                                    PID:2260
                                                                • C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe"
                                                                  21⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:2884
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    cmd /c ""C:\Users\Admin\AppData\Local\TempKXFOF.bat" "
                                                                    22⤵
                                                                      PID:1372
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBYUSBBU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe" /f
                                                                        23⤵
                                                                        • Adds Run key to start application
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:296
                                                                    • C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe"
                                                                      22⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:600
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
                                                                        23⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:1060
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SEMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe" /f
                                                                          24⤵
                                                                          • Adds Run key to start application
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2024
                                                                      • C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe"
                                                                        23⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:1612
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
                                                                          24⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:1460
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDMDVMJETNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe" /f
                                                                            25⤵
                                                                            • Adds Run key to start application
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:2928
                                                                        • C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe"
                                                                          24⤵
                                                                          • Executes dropped EXE
                                                                          • Loads dropped DLL
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:1052
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            cmd /c ""C:\Users\Admin\AppData\Local\TempOVKKL.bat" "
                                                                            25⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1280
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGBCXSFMHMIURPT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe" /f
                                                                              26⤵
                                                                              • Adds Run key to start application
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1720
                                                                          • C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe"
                                                                            25⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:892
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd /c ""C:\Users\Admin\AppData\Local\TempHBPYK.bat" "
                                                                              26⤵
                                                                                PID:2304
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXTHTFDHYVWJOVW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe" /f
                                                                                  27⤵
                                                                                  • Adds Run key to start application
                                                                                  PID:2212
                                                                              • C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe"
                                                                                26⤵
                                                                                • Executes dropped EXE
                                                                                • Loads dropped DLL
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:1576
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  cmd /c ""C:\Users\Admin\AppData\Local\TempEFOKY.bat" "
                                                                                  27⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:2384
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "USRVIMIGWULKNIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe" /f
                                                                                    28⤵
                                                                                    • Adds Run key to start application
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:912
                                                                                • C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe"
                                                                                  27⤵
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:900
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    cmd /c ""C:\Users\Admin\AppData\Local\TempCUYTP.bat" "
                                                                                    28⤵
                                                                                      PID:2196
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XKMHFIXLSBNRCOW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEIX\service.exe" /f
                                                                                        29⤵
                                                                                        • Adds Run key to start application
                                                                                        PID:2100
                                                                                    • C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEIX\service.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEIX\service.exe"
                                                                                      28⤵
                                                                                      • Executes dropped EXE
                                                                                      • Loads dropped DLL
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:2540
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
                                                                                        29⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:2172
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLNIGIYMTCNSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe" /f
                                                                                          30⤵
                                                                                          • Adds Run key to start application
                                                                                          PID:2772
                                                                                      • C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe"
                                                                                        29⤵
                                                                                        • Executes dropped EXE
                                                                                        • Loads dropped DLL
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:2936
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          cmd /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "
                                                                                          30⤵
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:2644
                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OJHJNUDOTEQBAYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVHHFNGKBM\service.exe" /f
                                                                                            31⤵
                                                                                            • Adds Run key to start application
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:2668
                                                                                        • C:\Users\Admin\AppData\Local\Temp\FOYGCQVHHFNGKBM\service.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\FOYGCQVHHFNGKBM\service.exe"
                                                                                          30⤵
                                                                                          • Executes dropped EXE
                                                                                          • Loads dropped DLL
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:2240
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            cmd /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
                                                                                            31⤵
                                                                                              PID:388
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGTECHYUVINUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UBTDPPQLJQMBPWG\service.exe" /f
                                                                                                32⤵
                                                                                                • Adds Run key to start application
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:2188
                                                                                            • C:\Users\Admin\AppData\Local\Temp\UBTDPPQLJQMBPWG\service.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\UBTDPPQLJQMBPWG\service.exe"
                                                                                              31⤵
                                                                                              • Executes dropped EXE
                                                                                              • Loads dropped DLL
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                              PID:1868
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                cmd /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
                                                                                                32⤵
                                                                                                  PID:1700
                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QOTGKFDUSIIKFBD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNEJBSJHS\service.exe" /f
                                                                                                    33⤵
                                                                                                    • Adds Run key to start application
                                                                                                    PID:2156
                                                                                                • C:\Users\Admin\AppData\Local\Temp\MPFXVEYNEJBSJHS\service.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNEJBSJHS\service.exe"
                                                                                                  32⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Loads dropped DLL
                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                  PID:2432
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    cmd /c ""C:\Users\Admin\AppData\Local\TempVLXIH.bat" "
                                                                                                    33⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:2052
                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGUBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe" /f
                                                                                                      34⤵
                                                                                                      • Adds Run key to start application
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:1528
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe"
                                                                                                    33⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                    PID:2488
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      cmd /c ""C:\Users\Admin\AppData\Local\TempAGUCQ.bat" "
                                                                                                      34⤵
                                                                                                        PID:2588
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYMKJNAEAOUMDCF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f
                                                                                                          35⤵
                                                                                                          • Adds Run key to start application
                                                                                                          PID:3008
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"
                                                                                                        34⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                        PID:864
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "
                                                                                                          35⤵
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:1052
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFCTRHHJEBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIGR\service.exe" /f
                                                                                                            36⤵
                                                                                                            • Adds Run key to start application
                                                                                                            PID:2444
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIGR\service.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIGR\service.exe"
                                                                                                          35⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                          PID:108
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            cmd /c ""C:\Users\Admin\AppData\Local\TempSDXWL.bat" "
                                                                                                            36⤵
                                                                                                              PID:1996
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQEQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe" /f
                                                                                                                37⤵
                                                                                                                • Adds Run key to start application
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:1072
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe"
                                                                                                              36⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:2404
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                cmd /c ""C:\Users\Admin\AppData\Local\TempEFOKY.bat" "
                                                                                                                37⤵
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:2144
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSRVIMIGWULLNIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe" /f
                                                                                                                  38⤵
                                                                                                                  • Adds Run key to start application
                                                                                                                  PID:2124
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe"
                                                                                                                37⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                PID:2160
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  cmd /c ""C:\Users\Admin\AppData\Local\TempIIRMV.bat" "
                                                                                                                  38⤵
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:2580
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFGRXOMQLTHIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe" /f
                                                                                                                    39⤵
                                                                                                                    • Adds Run key to start application
                                                                                                                    PID:2372
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe"
                                                                                                                  38⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                  PID:2264
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    cmd /c ""C:\Users\Admin\AppData\Local\TempJBDRN.bat" "
                                                                                                                    39⤵
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:2860
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUVJWHFKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWGSSTONTPFSAJ\service.exe" /f
                                                                                                                      40⤵
                                                                                                                      • Adds Run key to start application
                                                                                                                      PID:2904
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\XEWGSSTONTPFSAJ\service.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\XEWGSSTONTPFSAJ\service.exe"
                                                                                                                    39⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                    PID:2756
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      cmd /c ""C:\Users\Admin\AppData\Local\TempPVLJN.bat" "
                                                                                                                      40⤵
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:2072
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAWHXCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe" /f
                                                                                                                        41⤵
                                                                                                                        • Adds Run key to start application
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:2680
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe"
                                                                                                                      40⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                      PID:1688
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        cmd /c ""C:\Users\Admin\AppData\Local\TempRQUHL.bat" "
                                                                                                                        41⤵
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:1972
                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KOJRFGXGGPKTKIU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMAL\service.exe" /f
                                                                                                                          42⤵
                                                                                                                          • Adds Run key to start application
                                                                                                                          PID:1216
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMAL\service.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMAL\service.exe"
                                                                                                                        41⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                        PID:1976
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          cmd /c ""C:\Users\Admin\AppData\Local\TempTGMRC.bat" "
                                                                                                                          42⤵
                                                                                                                            PID:2876
                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDUMIDTNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe" /f
                                                                                                                              43⤵
                                                                                                                              • Adds Run key to start application
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:3048
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe"
                                                                                                                            42⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                            PID:1648
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              cmd /c ""C:\Users\Admin\AppData\Local\TempIJRNW.bat" "
                                                                                                                              43⤵
                                                                                                                                PID:1940
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKXGGSYOMQLTIJB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEAVPDK\service.exe" /f
                                                                                                                                  44⤵
                                                                                                                                  • Adds Run key to start application
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:2484
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEAVPDK\service.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEAVPDK\service.exe"
                                                                                                                                43⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                PID:1712
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  cmd /c ""C:\Users\Admin\AppData\Local\TempDXAMY.bat" "
                                                                                                                                  44⤵
                                                                                                                                    PID:2116
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFCGBJVWRPSHVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe" /f
                                                                                                                                      45⤵
                                                                                                                                      • Adds Run key to start application
                                                                                                                                      PID:2828
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe"
                                                                                                                                    44⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                    PID:2960
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe
                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe
                                                                                                                                      45⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                      PID:1452
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                        46⤵
                                                                                                                                          PID:1000
                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                            47⤵
                                                                                                                                            • Modifies firewall policy service
                                                                                                                                            • Modifies registry key
                                                                                                                                            PID:2352
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                          46⤵
                                                                                                                                            PID:896
                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                              47⤵
                                                                                                                                              • Modifies firewall policy service
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              • Modifies registry key
                                                                                                                                              PID:2528
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                            46⤵
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:1332
                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                              47⤵
                                                                                                                                              • Modifies firewall policy service
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              • Modifies registry key
                                                                                                                                              PID:2080
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                            46⤵
                                                                                                                                              PID:1008
                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                                47⤵
                                                                                                                                                • Modifies firewall policy service
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                • Modifies registry key
                                                                                                                                                PID:1800

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\TempAGUCQ.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    bca2f09465511ff14c2160dc23215f7a

                                                    SHA1

                                                    79e48ebacd35f46072296d9b75972f3d2dbfb8ed

                                                    SHA256

                                                    9e63cc7f7204a55ca293b49417b274e331764807ec0f54fcd9880b0b3c9c963b

                                                    SHA512

                                                    1aa9a48392275e3c2a762a99f6e70a11c5a7ef9ed0f855d7d7f8b09d0f1596508f94b72dafc38f08171239cf03e962d9fb8558d32e64924a062cd1b297d7ea9d

                                                  • C:\Users\Admin\AppData\Local\TempBOWCU.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    6a822ca04b6bd05c7694fe94c84b7a7a

                                                    SHA1

                                                    babbe92eda6016e11fbdce6e6440ba8ddd633ac8

                                                    SHA256

                                                    12ff58777d8f23f0a40698de40c3c3db9fc81b1cbe9a39d0ad958fcce3c48312

                                                    SHA512

                                                    120b4ec568d7fbe64218f12a7d6cd8df0b4d33082a747528ccd6d017551ec981789685c7a810981ab7abf6128d1cb5f815f42e0a28f9f2fe489bc6380dd4dfe7

                                                  • C:\Users\Admin\AppData\Local\TempCUYTP.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    6c81cd95fa1e622550bcc9503aded9df

                                                    SHA1

                                                    2bb370eb566277968a8b4ce91e4ac4bd3cf841f7

                                                    SHA256

                                                    f737f02284d240e78b8cb7cac731e3599964d2e1cf9e249090d1121202b79133

                                                    SHA512

                                                    30522dbb6332cfb6aeba6ae5772a44bab5301a875a945d2618fa3b1740917493bcfd2e7c491dbbe238bf8ec4cee0f8bfa8ed80aea932693fea7edd144d309727

                                                  • C:\Users\Admin\AppData\Local\TempDXAMY.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    1f1d8e37cc450a99ddac87c7cb1f9a86

                                                    SHA1

                                                    031098a964f57adccfbc899b05f332bd80dbc259

                                                    SHA256

                                                    8ff70b00b060797307632716f7cf8022ca98950d439be373e5edb3a805f03891

                                                    SHA512

                                                    b87f0443f3710186636c4dfbb59e0b4f6b680a4e01f2c1b342025dedac022616d98e8f0f73ee8d974799ad7ded018ede6d9466a2375710d1899d4070ca341692

                                                  • C:\Users\Admin\AppData\Local\TempEFOKY.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    5de5ed8b1982e32fb6ef975b9d945715

                                                    SHA1

                                                    2f9e0efb9d56594156f8a28f1f4fd59800c105a6

                                                    SHA256

                                                    9c8292d2ad3614079981a665f67c412974f5dcc67a3597edf3b709d413362c8b

                                                    SHA512

                                                    4f9f1680b1c89b074b5f6806809c917e62405c0d731e348aed5aaafbddbc7b1d4c26fbbd7670aa3d4b4f2b0f79e778e96617aad16b3d3f9e446862fe2786a1f6

                                                  • C:\Users\Admin\AppData\Local\TempEFOKY.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    eb1981947d081f28fe8eefe71ba83464

                                                    SHA1

                                                    518f6efa878b2ceffc45965cee66ebc1358beeca

                                                    SHA256

                                                    ea0eefd90e9492d19be6d6a5b40601452f3c18cb5febc5f74c6a6ab2dd8081be

                                                    SHA512

                                                    27932aaf3523fae850e9b71981d1a573b86f6e838de12508ad3c3410fdb6cc66f3f0dc79394d9e803c73dba22f28eb5afe32c3d65fe00651ca55f38d7fa6f93e

                                                  • C:\Users\Admin\AppData\Local\TempFAWPU.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    4b5a624b6fa5d47666c8e124d1a670d9

                                                    SHA1

                                                    cd9b50bc7b93cad7b71201ff592331c0dbdb744d

                                                    SHA256

                                                    25f128cd7e62116bf991e67a6bafe0459d2615b03912401b3f69b6c9a9f7be13

                                                    SHA512

                                                    691c28dc4c1405423c7a723309232a8c2c5cde28d1b764e557bd7eb0db30023d53a5d646b33c96c82da43096ca4efde9f68df5dd5903c1354462a9102e238629

                                                  • C:\Users\Admin\AppData\Local\TempGAOXK.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    9f691ee97a44abcd5a7c47325aeef6bb

                                                    SHA1

                                                    69dadc35482966bd0a3e5f1cc3b1b5e881a64f8a

                                                    SHA256

                                                    920d6c80a55639bda7bf2aa25e33987366879564a7234648e0464bfb86c5455c

                                                    SHA512

                                                    ef83c0b83355866119af7a7e895481f07eb615e6fd147851000812b929401bb8beca05c3ef3b8fdd2151637bcbba64cbc0961fb723247f65a8ffea5394079e6e

                                                  • C:\Users\Admin\AppData\Local\TempHBPYK.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    67975c64e002bd96649f93521bafedb4

                                                    SHA1

                                                    3a26ba200ce1871a064030becfed26d3bf51d1e7

                                                    SHA256

                                                    40934c5fc5a8347071e337c87656a659caf82664fd1848ac13edf332eb49417a

                                                    SHA512

                                                    1b23ec073702d2a28f1f3cc0b98f5d7c9670642c29c41d3675fbddcfa30b50e0fd039d91f74adc3f480888dacaef5abaa0fe8241874a121b3e17b71dce16f0f0

                                                  • C:\Users\Admin\AppData\Local\TempHPGAK.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    0e4a5a30058cb9a2ebb8f89cc52152f9

                                                    SHA1

                                                    6d641bc3ee220ae92b3345ef06bd0f43f1f55dcd

                                                    SHA256

                                                    a0f35e0d7598d3df85db4d94be5d966f04ef7f852d1f82723f0051358f0f12e3

                                                    SHA512

                                                    142cb720355037fdc5b16703354a6a0d630c4a5a6a2d5d30b9f18a8756b5a5565b7a6d2ad628c7eab52b8bb3c9dcc9bcac11f174cbb718ab71094c7c7fc8b173

                                                  • C:\Users\Admin\AppData\Local\TempIIRMV.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    c29b65e2d961463ea3a891d4853c8097

                                                    SHA1

                                                    084ea68f1e7dfc34469a56f244daed956777d943

                                                    SHA256

                                                    f22fd4efc0bd3b02c6465be47f31ea9eb84691a0c71f87307045d0bac798177e

                                                    SHA512

                                                    d3d04f5f4fbb5e9d052777beb71aebd6a36a73510e0f53137c6dd91122dc0b3055ccb7bd9085b86c8c9058cf1e658c5cadc431fd46479c1aeb2cb366cb924a70

                                                  • C:\Users\Admin\AppData\Local\TempIJRNW.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    1ebc655db6056107e60d23320bd2792d

                                                    SHA1

                                                    2632bbf3415f0612ed52c4789b6515166bb9b4e9

                                                    SHA256

                                                    df15ffe26a6fd33fec5eb3f93ea273b4794d7e85a36bd947df1636b1862c3018

                                                    SHA512

                                                    904e444bd1afe4ce1c7279c6fd05923ffef934aedefbbf640f44b6089c3b553ccc2e3b4a21c0f32e188717fca95cc9b946d404807adb1defe9cd44cd6925fd08

                                                  • C:\Users\Admin\AppData\Local\TempJBDRN.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    91f84d7ba68cac13d00da85ee81d9325

                                                    SHA1

                                                    f4142af9ed1387c57bd08e42660f6fe1a9d81b6c

                                                    SHA256

                                                    c70d8c41edb692e56c5c429eb5d95461654780180672e5f54ce02c76f2a88c0d

                                                    SHA512

                                                    b8766f657e4027e422daaabc0ed0ac556d1474dd3ed354a7c5d4b23839290148585443143482022353875bc46c53840b44f5df6ad7bfd04bf044a90259ec4dcd

                                                  • C:\Users\Admin\AppData\Local\TempJSOWN.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    ad49e8f7b0949e71b589ec3fd874e326

                                                    SHA1

                                                    eda2caad0f07e9d1fc5d06e138f16974b1180237

                                                    SHA256

                                                    3a2005ea06d63523c9a70c07e7acddaa697a046a825c5e24c763ec5ea63772dc

                                                    SHA512

                                                    bdb68d66cd4e3280284dac30151f5f717aef46b0d8be8130d872c40ceb7cb68435c3ddb87a5b2e3062f40eb6196675459c9fb0e410058169a3a3dfe788eadb47

                                                  • C:\Users\Admin\AppData\Local\TempKXFOF.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    f5e32640b80a435dead33fee40e71f4c

                                                    SHA1

                                                    e43db0656ee9805498e1bb9f416440adb48a4717

                                                    SHA256

                                                    89e0d74c0f0a3411e1758fce5992828b2bfeabf24c228a7d04cb3b678760667e

                                                    SHA512

                                                    37f5ef386f4cb358cbcb2f4a98e3524e53fd262968679059d00365aff0a1ef73fc0e3e693c131ebf79c1c7d21b6c7d12aeaf2d7f5d15ad303d2db585972cb0e3

                                                  • C:\Users\Admin\AppData\Local\TempLHVUG.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    36b91e7ec0e9fc300fdc3617692a4fca

                                                    SHA1

                                                    8b3c99b391236fa9b9d3996b1305d832875441e1

                                                    SHA256

                                                    a906ae8d4eeb0e74b9b94b2cbe8bfb70e3b0516b7319b221d632cd3249392c7f

                                                    SHA512

                                                    da5f81d424e70e1e04c3ed4aad71da3287a44a26e93f82b34ff577fe7ffd0a1f6ab7e821d702201c26314f294c361f9abbdaa48082adaf0e7036f14b05d1acac

                                                  • C:\Users\Admin\AppData\Local\TempMIWVH.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    6222fb334c7941f4196254dd714daa57

                                                    SHA1

                                                    831d3adf30de025a64cb66a1448b751a4502d5cb

                                                    SHA256

                                                    8a75cc94f984696b5879fb5635859327a603775cea14519b352a1a4abe3620c0

                                                    SHA512

                                                    bcb10782f6077cc4fcdd12dc2c3a5e50f1958a0b028af03e2889242c8823078455dad042284a57e828abcfc6dd0a8cc613f49f93902a3c67921984013a1cdc42

                                                  • C:\Users\Admin\AppData\Local\TempMJSEK.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    28e6280656f4432f6c5cf2f7d1efd4e5

                                                    SHA1

                                                    e9d7fe148d5eb7b565137843359fb0feef7fe28d

                                                    SHA256

                                                    df6d7e81b8746e9ef08d113859c81bd6554252f7842c8952e529c272b52aca6e

                                                    SHA512

                                                    ac26c666b19df427db6fc0c858ab698dd3e2ef50118e43134ebd4785614900b814a508970effcdfd90f850328bf3925c2cfafda37e01cee2dce0e624908e296f

                                                  • C:\Users\Admin\AppData\Local\TempMUHNS.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    11ad762658723fe1b07038c8e4abc9b0

                                                    SHA1

                                                    6b1230f97f32cc96cb804b5f8f298db5256d61b6

                                                    SHA256

                                                    50785427907723a9a882eb1d1445f49c12aa49c2c91ebbd6ff09907d535b6a72

                                                    SHA512

                                                    772ec9d8d6caa163e5d2b1aeffc90df81ea74a513117b85389d5e880e257de1cc6405817cf340474a71e4d9fdab3a005610e563b37586add9416a5cf4575da88

                                                  • C:\Users\Admin\AppData\Local\TempMYUAS.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    5d67536cac9d4735f6bfe16681d51409

                                                    SHA1

                                                    921d1d3fcb12b99614b48221ae9aa7d4d8da1b56

                                                    SHA256

                                                    3ae573b4b5b2ee31bd9e51453a3e3f91f983e356825e46a1b2db27c0d070ba1d

                                                    SHA512

                                                    82725f26a44a5697214d232d84111fa083f8347f27e9e1a0efe444938b3895828034be948f63f097b20549ba3611cdc9cd8e2ef70c63caaa8055838f9530d9e8

                                                  • C:\Users\Admin\AppData\Local\TempNVJKK.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    b9ca59e26c1a77eda59f51dd6f4bf0fc

                                                    SHA1

                                                    7d02abc2beeeb3328373e4090600fd48dbae19af

                                                    SHA256

                                                    c41f4f6f20c47cdbb7bb3ffb71794da45b11120bce06ebf4f0298c81bd0baf89

                                                    SHA512

                                                    6eb311fed928e42bf99554eead7dc25276d924fb058c5d4afa71e861149c45ac01b3103d4a33195fa499513cda55a64a4f7f98b6a34bbe16057859ba67e217fc

                                                  • C:\Users\Admin\AppData\Local\TempOVKKL.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    d5589ec82ef2cc43314bf46f81eb5109

                                                    SHA1

                                                    8bf20b514f48991fd70a6ec1725d49eb1743c190

                                                    SHA256

                                                    8e21f38d067597422034365b0e588c1c4b4ae06ddce290548ab4d71bcbe183ba

                                                    SHA512

                                                    d392e4302e23939bb99a4aabc07311c1da817efe8131ae21d78e625e7d7b7a4360180e108d0124958eb7b7fa7e2a59f4a58c76847f309d947c73ca462ec8d4eb

                                                  • C:\Users\Admin\AppData\Local\TempPVLJN.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    9070a3a91e63272c3d38d7770dbf0b1d

                                                    SHA1

                                                    5ec82741f07aaa3ae2f7c612145911dc8f047f60

                                                    SHA256

                                                    9c30edddba00879913701b1245f4e462a7e8b5fda8b13936c8291f615287d1c7

                                                    SHA512

                                                    641eb7635bf6b3910746b836b31b7c21fb7f68a04d77347f399ccf3303c8f006d77ba2197f0860007c737e1021bd7035dc4c52c4e362f384c99dde1da0c9823e

                                                  • C:\Users\Admin\AppData\Local\TempQBVUJ.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    878f9cef61636cca20cfb70db6163294

                                                    SHA1

                                                    6af0e6d2f4839baad8de028762aaae888e12e698

                                                    SHA256

                                                    224e5d724d4f06b25b986fee6169b27ae18dcd8060982a5842bfa7a22430dda3

                                                    SHA512

                                                    84b6f14411541b4043692c395b4167e6d619573e1495a2aea63063ff7439e91c5034f75e664159462c7540a1a646560b6af8645a6033756dd804924819ccd211

                                                  • C:\Users\Admin\AppData\Local\TempQUPXM.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    f022a6bfb903b26530ac84a9a43b3c58

                                                    SHA1

                                                    1eda6994a37cfc0e5e3d2aea4face2e852ae44eb

                                                    SHA256

                                                    48647d0ec174464ad23d0bd7fbea8b963a0ae29a2dd1ed84db2170a68cfa00d1

                                                    SHA512

                                                    ebb95f75a6c33db0be819e0a614eec1ec742dc9ce7f63727b642291a9fea24ba39d59e7984faedeb3b8cff6ed082052c26ff833cbd7e4e76b26979b6b5611665

                                                  • C:\Users\Admin\AppData\Local\TempRQUHL.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    c07049cb7fbaa4602b2ede84aea06920

                                                    SHA1

                                                    c46b352a9d062470ed6b7b9dcd08eef4c036409f

                                                    SHA256

                                                    b59cc3c2c4f1a6113b7227d935839dcdcbc92b44e128c15edcbbf80cec0f4c7c

                                                    SHA512

                                                    1670bf96874df989e1ced0dbe30554dce574a78e7868205196c6b6f77080e83e93fb3f49467319e5982dce490b28da62f9d6cae127bc02328ee25acccff255ce

                                                  • C:\Users\Admin\AppData\Local\TempSDXWL.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    c26a343b011df42b16a20eb1e4b21ef5

                                                    SHA1

                                                    0dfa155e2a600c60d6aea6b62fa10c27c158ed79

                                                    SHA256

                                                    c00ea0b40282a342ea5dc7b6f7b0dd8ddfa38da65187885a09b2248e05bf6460

                                                    SHA512

                                                    e8c62eb5b6ba83728fff93efe994b9e4b237b050671f877301934169d1e469ee15a63007fa16af308181ad5b662121ec9d51fd372fe2d5830cf5cac2778a21c9

                                                  • C:\Users\Admin\AppData\Local\TempSTYEF.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    4573a21f42451a14faf5facf42ffd274

                                                    SHA1

                                                    6718528373c249e9c14b48ab6e3555e13af5f24e

                                                    SHA256

                                                    13a8907d5761782606d4b373d7cdf80b9d094c200b8d173e1a294397d525cbbf

                                                    SHA512

                                                    c7f37c87295e9da90d37ea893f9bd7f34477d1bb835659037e82688145bbfb78385171890662d0f64b443a3ae9ea149eae87d64701d2b55ae1701f61f057484a

                                                  • C:\Users\Admin\AppData\Local\TempTGMRC.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    2787afdbe11d921ac85738a66cbfe809

                                                    SHA1

                                                    32bc245503d9e670703531b8391702795cbb8f5f

                                                    SHA256

                                                    e9626c32c43d56c08542e17855b078f23b1af0ad81a1be24ae20d81e95a673e2

                                                    SHA512

                                                    c0f6ce57cc0360548ae0610256b96a9f9a7aee2308dcdb36daaf0aee19c696aefcc1cbe29977c62bbbc181d0b0f73f71b1a709517e71d2077d98361272d0e869

                                                  • C:\Users\Admin\AppData\Local\TempUFEIV.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    e801d454bb705b69e1efd1bedc2329e3

                                                    SHA1

                                                    84091aeccef7f181fe4962a7ee4b7770add66a98

                                                    SHA256

                                                    e65e7921c9c60dc183340e13e770e2a5d41c6ebea39361f7a5bf7023c174a2fa

                                                    SHA512

                                                    a94db39f5bd02fddb589f92ae8753eb192750a90f6b46ae510084a22872d7784ceef63a8c53fef29cccdc3e05408beafa6a8f0dccad5947447e6cb8b17981167

                                                  • C:\Users\Admin\AppData\Local\TempUGMRC.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    1ec7e3ccc363d8da29003f6ca9f20bcb

                                                    SHA1

                                                    0f0f489d7aa81ef3940691225309146a6831f60c

                                                    SHA256

                                                    abcf81cc40c7d02722b4e7ec09f9acb87ec53d01704592e4cc80c829f87db94c

                                                    SHA512

                                                    bcdf328821e26d27e9f8d3736e33601e50ad69ea511f3f57fba0d2b5318955418deceb86fac03ce316b0749170f34293870c2a4cbbf2ca770fcc8d98c9fb71e2

                                                  • C:\Users\Admin\AppData\Local\TempUGMRD.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    ac925826b0b8f1ddb98b1da4ff70ef3b

                                                    SHA1

                                                    0d1b92e0cc4b6bd2b0f2724e1881ee403ec45d3d

                                                    SHA256

                                                    2b80898fa01a26ad6a62c25ae716d0c70df6a85fa80ae949f22bc8337ab28eb8

                                                    SHA512

                                                    d3e9066723291bedc356a2d5b12f4cacf7317826ed248ecb5d1d737907b05c5932475565d3eb760f6da546c88042813023ba4a5d8b214985ea42714aa590244b

                                                  • C:\Users\Admin\AppData\Local\TempUGMRD.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    219f106e451b011dccddcaca90490d58

                                                    SHA1

                                                    342eb6ebcdfa782bc23927e4f7ca713bb3ae3cba

                                                    SHA256

                                                    388eff31270b914b02916004acc16133d2711f37430fbc675ec7cca655aeac04

                                                    SHA512

                                                    f4f7ab0d495318e591f178d12494a43220cd9dadfe8d77f7e9c57c41918ff2cdaae4fafa12830cd922401a56a467bbbe8da8cfcf192ca3b1ef8fa6783ee552f4

                                                  • C:\Users\Admin\AppData\Local\TempUQYPE.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    5a4384ad153eee40e71481f1b84e2979

                                                    SHA1

                                                    c4f6eaf1a1a7e034ead8fb98d9f946ae66547733

                                                    SHA256

                                                    e24020f861db2b12a14f5de1030b174886ce889fe47e68fa46f555d2484ec935

                                                    SHA512

                                                    68a15ebf11eb0c7e315606916b9e3420d6bdeeb4cb0ec9b822fa629bd0ecbbba379c81b966ce5c686f7d47b51dc9d1752faf4ded1fb3c3b3ec11aba06258cf09

                                                  • C:\Users\Admin\AppData\Local\TempVHIFO.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    4606048e5d2a8bec9ba1d96dba6e135a

                                                    SHA1

                                                    b606d926fb419e78ff482e1f3921af85c84ba49d

                                                    SHA256

                                                    0d8bb0454fd2b2d08be6bbb730efa743051dc967a44ba372b68382673d449a0f

                                                    SHA512

                                                    74fe96f720f345b883d7e024bc291435d1bd57156e663ba35e2279d24e032ec6e11c027f14235b36186fcacd268bb688f9adc9846ef75cff48e9c78d3bba2d0a

                                                  • C:\Users\Admin\AppData\Local\TempVLXIH.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    012997a6b29f4be215639a6dc38f1bae

                                                    SHA1

                                                    084fb01e80abdeb2c7febd564062488238a9229b

                                                    SHA256

                                                    a0dda3dce2f03606114b8d4d8dbde8159e9f73f6282d1984ef449823837e2f49

                                                    SHA512

                                                    7cf25d312f8aa7da637da2df94b4c61bda90366e2aac7b7f82282a2e4c35d6f61cc9dd3d92fe16ac1b00b5d0bc5a846355e6c18e334c8fdde832e463369433ec

                                                  • C:\Users\Admin\AppData\Local\TempVRQFO.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    191357fbd0c2c09a0b9124f3a3404b07

                                                    SHA1

                                                    1d7f7d1c71bc6a651cdf8edbb0a8f5e586719ddc

                                                    SHA256

                                                    d589b5e3e36ea4166a1c75d2a2c6d7cecb723ce7628e3e75da5a5cfa29e1b01b

                                                    SHA512

                                                    d43268a54bd5d7b7bc0b47615059aa40d9688a32912ae3e653c41150fe7b6069ac6363523043c5f0a55744bfff32212c995ddc865202b51cdb880e4a13bed79a

                                                  • C:\Users\Admin\AppData\Local\TempWBTYT.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    2f92e0d7753a32279044f3178eb02a9f

                                                    SHA1

                                                    255dc3664a10103b3a1204b75db75e6d097aacce

                                                    SHA256

                                                    6075d7b53384296ae6cb790c4a29fb9c7cb931d092c48d5a99cf7085b0724d20

                                                    SHA512

                                                    834832ee66bf26458d4009fc74c39d13cd813c6c76105bc364943a4bec1e372707691db40888bae70ffb7f0186be95ff7b839fc28dfb43486a41b28119331e41

                                                  • C:\Users\Admin\AppData\Local\TempWCUYT.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    8e64ae3f0105d344278144bbf9a1aaed

                                                    SHA1

                                                    c103c3e8992c6543839032fa6c999a30bf01248e

                                                    SHA256

                                                    680becfa86b0364b2df3df794da582c48799376fd96439d2ca883635ee8d1711

                                                    SHA512

                                                    137e410b703165e6fd68a9f3c1cf1566e9e1a7d87972c6212a205af674194bf2568f7bd83a90e52fc9269d4961d91036f8607442e12278b6b58b3a6a1acccda6

                                                  • C:\Users\Admin\AppData\Local\TempWSFCR.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    c3e602eec4e2855a45d273083e86ff02

                                                    SHA1

                                                    ec87c91fda6895aa12edc739dbebe1f7ebbefa11

                                                    SHA256

                                                    2a97670e942ee1a6ed0faa445e47aead7f631f2b2381a41acfba990376d849d0

                                                    SHA512

                                                    78da6c852ac0da879ec7433ca71bcd52f93cd9167f678561dc063d1864623bd5a8604921a7ad5e1da4df63f5bc0e05aebe8d114583cb3603c6bf449d6494b9db

                                                  • C:\Users\Admin\AppData\Local\TempWVRSS.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    ded3c38f382d017e98ce088c506edee0

                                                    SHA1

                                                    1a65a0bc027dfe0c4aa4bfb7f04c4f3357633804

                                                    SHA256

                                                    a048547fda8dd55721ed75dedc35683603d7ddbccec7e8b679cc92bf735ed105

                                                    SHA512

                                                    4127194d220bcbdb64c44e98adfca9e34d98815f6e3dacddea7efdcd83bb5fc154444fdccdeb276ba83eff9e407bd5e90f57ab6b47eb0275839c756dd84fc8db

                                                  • C:\Users\Admin\AppData\Local\TempXDVUQ.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    1a81a51970096ea7f7fb5f137e158e8b

                                                    SHA1

                                                    4f81abb5daf7f1d60cad004d323a057cdd71dd81

                                                    SHA256

                                                    c8473aa3472cc5d0b6e482cc52db55cb4cdc6289f16bbc4887a227edce326c33

                                                    SHA512

                                                    1262a27b7b68dd29f4fbc8558fd5aa745fa59541b7bcf649f547b594df3141a9de0d87577acb7e8972dc95bcf2c98c58ff7e9d54da19afb2ed349f5384f9d244

                                                  • C:\Users\Admin\AppData\Local\TempXWSTT.bat

                                                    Filesize

                                                    163B

                                                    MD5

                                                    5edada1ff7b2ce3d1ba6887a7c0c3a48

                                                    SHA1

                                                    ed961a9ec7ad40824677714eb51e32ab68f91eeb

                                                    SHA256

                                                    b61eff900cfd9e5d15ffdbfae92331a8d2285e108ce8ecb11d292788908b24a8

                                                    SHA512

                                                    69308b8e1e121670b35a1e5538e451aa86ade7a1a5eeb5062b27dfc55a97726acb51437f46d71244100c554e4f6bf83e8343ef343adc849dbdd97cd2f1e50d9b

                                                  • C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe

                                                    Filesize

                                                    520KB

                                                    MD5

                                                    8fbfa09abbe5351ade5771d6f3a40dbf

                                                    SHA1

                                                    faf133c1212d0ded1eac91f05989bb299a1dac82

                                                    SHA256

                                                    d89865f59d2989be451cd583df89049829d94f7d973c8cf0a8a22b41d5928d73

                                                    SHA512

                                                    f0cc880c7604c02b089cdb259463aef3ee289836a3e2e6aed500a7223f15d02c4ef55dedaf0b4ebfda0c7a1f182b20903663b28450f9287e21dee0e323af1bb2

                                                  • C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe

                                                    Filesize

                                                    520KB

                                                    MD5

                                                    7118640264ac3942338572fbcb0c55f8

                                                    SHA1

                                                    e72f405509cb413b21eaf6ec015f50961d7fe837

                                                    SHA256

                                                    c13adcc4c88182194b0214f3926897176aa42d30d107d52f9edc2fc48cdce04e

                                                    SHA512

                                                    d5eb976ace7b4a8178ab7a8fb30707cd9c9f0c0139b652d639ecd4f907188d0f89f6d4defb890b8bdeaa90a9762a7661867655ddd1e60ebec0791b5b9702283a

                                                  • C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe

                                                    Filesize

                                                    520KB

                                                    MD5

                                                    dd626e2123201536d212262892baca53

                                                    SHA1

                                                    bc077279aa93a99e125873027f712329845ef490

                                                    SHA256

                                                    7a9b71cee517fc5d0ba857167f1f288556dd450454d46126be517f39eeae5090

                                                    SHA512

                                                    0071229e22d0d5afbd13821bdd3bf928a0c6f2a79a5ae365205e369ad86ccdc9b04af4574d8427bdd872d93da070754f511a1d99a665766a977e5b077d7ffcfe

                                                  • C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe

                                                    Filesize

                                                    520KB

                                                    MD5

                                                    9caa3ebfa69ec5768825f5fd8ab681d7

                                                    SHA1

                                                    0aac76782564d4650e591d6a9ea636517ef36d2f

                                                    SHA256

                                                    63a04cd0a4010512aec6b45a1666b3a1789a5c70eaeff19103abbab80c84e07a

                                                    SHA512

                                                    db120dcd4274307d60622354ed784d245f3012e3295464ff35454d80bac7e339f7a6c1a8f2a9759c58cd378883873aa44f0757d02c4026d2b01e801dcd91f7ed

                                                  • \Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe

                                                    Filesize

                                                    520KB

                                                    MD5

                                                    1c458353cb3412b36ed1968d2da12b2a

                                                    SHA1

                                                    b9aececf9a86506a592bb420db226e5fe70e84ba

                                                    SHA256

                                                    0b6b3fcf6d2bf9747a94b5d1228fcebd24f8a396870a004838d727712bbbd7bf

                                                    SHA512

                                                    4522325c71ee963b39739867fa6d2433450a492a660aab594bfefad2e6a8cdba0760ccd9b40ba24844870709c29b1770dffde6b1e68fdcd2c3f24172032a6438

                                                  • \Users\Admin\AppData\Local\Temp\BJASKGBULLJRDKO\service.exe

                                                    Filesize

                                                    520KB

                                                    MD5

                                                    2fb6289d048866e86403f3f46b7feedb

                                                    SHA1

                                                    dc277d8ba76a1dbe946fb9dbec52fb27d2b5a2a9

                                                    SHA256

                                                    ba385e439b403d0ecdbd1aa8af6985684d4da155258888c8fc83b2bf58c372a1

                                                    SHA512

                                                    fae144d61d3b9edadee17e5930bfdbcc0ef777e809eb85ed049fd3ffec05f6f49ba875ba85cdaa44c207522b8b128a46659d152ab127cdda9e93e9a39f9a13d5

                                                  • \Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe

                                                    Filesize

                                                    520KB

                                                    MD5

                                                    df1c2337fdade4e6621fe43af0cf8f44

                                                    SHA1

                                                    4dc70d2072d4e2bf5582c98daf6c0959b651e39d

                                                    SHA256

                                                    a1f61009947cfcfdc54badae1f68b2c071a89cedc128b93b08cbf54b229ac806

                                                    SHA512

                                                    e826ccd4a6c3646080d35b8450c7f3ce8ca03d50bb9078638dcb59cacdce186ea094ed5a49a9a83d8b9b236d78c773c3f1f4468cc8a42b4f3646d710ca3f9044

                                                  • \Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe

                                                    Filesize

                                                    520KB

                                                    MD5

                                                    7bb0819574c1c823c3d369a9bff23976

                                                    SHA1

                                                    badef2d39b1b9baf6619bd77d128c788fffa0aa3

                                                    SHA256

                                                    6cfc1e6e144f1d732f69ff15f6b698916663f5502bc89256ff6633ac7de621e3

                                                    SHA512

                                                    4a4cf332182072aa74c81adc0589c13fac8714fcfc81111f7d8f24774f8816026fa8f782b990dab66b13b385c166f50d8d7e0a89e1882be64cdc11be79102925

                                                  • \Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe

                                                    Filesize

                                                    520KB

                                                    MD5

                                                    88c8b60ade560768c4eacffdd69596cf

                                                    SHA1

                                                    5d843c33880630c8410db0c1a09f657fa9b1b9fc

                                                    SHA256

                                                    a7fda66abcf5dd757b6a3d172d7fb904a7fc4bef3d05a2d8a2a6f76a00b4177a

                                                    SHA512

                                                    58e19d636b1ca5776ae9d8fff20c9604995d34ce0e661805a4d7aa68626c3b2fc205ba02d79b0d175dea5c834fcb1082b5d0df18ed595046d8374102f84fb7f9

                                                  • \Users\Admin\AppData\Local\Temp\MOEWUDXMDIARIGR\service.exe

                                                    Filesize

                                                    520KB

                                                    MD5

                                                    417d31206c9fa70d28c64119e390b5c7

                                                    SHA1

                                                    fc6856b7856c6ffc904760cd02abcdb2689b0285

                                                    SHA256

                                                    708ccc54c00054e87b10682759fe47037e3d6242e3c0e7fbd297a0a453f57464

                                                    SHA512

                                                    fbc231e2279eea3bf05082024b10b98cee2fd8213b7eaad391aa024d3d1934a8ef4b662051c658a60d38f47ae5b4dc9db63f056f1476993d40468080002d5923

                                                  • \Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe

                                                    Filesize

                                                    520KB

                                                    MD5

                                                    ac44355c320b55f190efdd8173d4bdb8

                                                    SHA1

                                                    c802b2ae8dc0e4976ac090b2130beac9e86ee17a

                                                    SHA256

                                                    de784effe59a7b46f27e18a5379a7ab44a7b7f5180e2b5b315df7a3c25b82f89

                                                    SHA512

                                                    fe01b65a02f0d5e08f69fbb70821ad9f8f55b542087ef5deba562121fd53fb79407c27360e6e3d6cb6b905ef5e82f5b984cc678dc88d581aefc5cbfc68364091

                                                  • \Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe

                                                    Filesize

                                                    520KB

                                                    MD5

                                                    e0266e36fe8d91349018e0110017c0d5

                                                    SHA1

                                                    df33eff5b1577abadc6b5986fa6a67e6f1e3a0a6

                                                    SHA256

                                                    789683f69db89f26b586a1094233bff4b6d18ee5623383fbc3a5d5e5c5aae46b

                                                    SHA512

                                                    a04ac216b2265d75f7f0b1fb23414e9695645c0444bea879a2e9009046255301d58192cafc16186df9599d2d583d77e09e9a957f1e2f700f28eee0fa1a049e26

                                                  • \Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe

                                                    Filesize

                                                    520KB

                                                    MD5

                                                    b21c60d618a95bf7cddf1f6ef6813e35

                                                    SHA1

                                                    3ed8d0e0d606f57d6cf76e9a59c3ff1635f20c4f

                                                    SHA256

                                                    44e8790d047276235d83360409517935e6bbd33579a2de17a867dc8e72ad23fd

                                                    SHA512

                                                    a633abd203932008c0bfb2d2f79b551d184b91e0e326d7e86318a27346527aae977568426fbe005c8a8ce4d1ba3069267f17de7fce9d2098044c40b8909df51e

                                                  • memory/1452-1105-0x0000000000400000-0x0000000000471000-memory.dmp

                                                    Filesize

                                                    452KB

                                                  • memory/1452-1100-0x0000000000400000-0x0000000000471000-memory.dmp

                                                    Filesize

                                                    452KB

                                                  • memory/1452-1106-0x0000000000400000-0x0000000000471000-memory.dmp

                                                    Filesize

                                                    452KB

                                                  • memory/1452-1108-0x0000000000400000-0x0000000000471000-memory.dmp

                                                    Filesize

                                                    452KB

                                                  • memory/1452-1109-0x0000000000400000-0x0000000000471000-memory.dmp

                                                    Filesize

                                                    452KB

                                                  • memory/1452-1110-0x0000000000400000-0x0000000000471000-memory.dmp

                                                    Filesize

                                                    452KB

                                                  • memory/1452-1112-0x0000000000400000-0x0000000000471000-memory.dmp

                                                    Filesize

                                                    452KB

                                                  • memory/1452-1113-0x0000000000400000-0x0000000000471000-memory.dmp

                                                    Filesize

                                                    452KB

                                                  • memory/2124-919-0x0000000077530000-0x000000007762A000-memory.dmp

                                                    Filesize

                                                    1000KB

                                                  • memory/2124-918-0x0000000077630000-0x000000007774F000-memory.dmp

                                                    Filesize

                                                    1.1MB