blackshades | 1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe
Size

520KB
MD5

bc904f7bb3afa91980a68cfc7081c1fa
SHA1

3602fd0487ad6515fd1743e4fbbe5c90e1bdb5ef
SHA256

1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553
SHA512

7d266bdd835253c99a879fd344b89fb6216ead3b5a910d47b24bbd7975d44776d1a17eabbddffdc6ea0f71f0b7172f3108c176e3184d63986663288f878b5089
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioX8:zW6ncoyqOp6IsTl/mX8

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 6 IoCs

resource	yara_rule
behavioral1/memory/2672-1197-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2672-1202-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2672-1203-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2672-1205-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2672-1206-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2672-1207-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKQHYPDOE\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Executes dropped EXE 48 IoCs

pid	Process
2536	service.exe
2828	service.exe
2228	service.exe
2104	service.exe
1480	service.exe
664	service.exe
1852	service.exe
1888	service.exe
1616	service.exe
2156	service.exe
2640	service.exe
1784	service.exe
2788	service.exe
1588	service.exe
1552	service.exe
2940	service.exe
2496	service.exe
1916	service.exe
2684	service.exe
2996	service.exe
2272	service.exe
1560	service.exe
2136	service.exe
1584	service.exe
2216	service.exe
884	service.exe
2512	service.exe
2120	service.exe
2976	service.exe
776	service.exe
1944	service.exe
2424	service.exe
2152	service.exe
1588	service.exe
2016	service.exe
2072	service.exe
2988	service.exe
2780	service.exe
2372	service.exe
1708	service.exe
1792	service.exe
1008	service.exe
2268	service.exe
1540	service.exe
2820	service.exe
3044	service.exe
2676	service.exe
2672	service.exe

Loads dropped DLL 64 IoCs

pid	Process
2508	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe
2508	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe
2536	service.exe
2536	service.exe
2828	service.exe
2828	service.exe
2228	service.exe
2228	service.exe
2104	service.exe
2104	service.exe
1480	service.exe
1480	service.exe
664	service.exe
664	service.exe
1852	service.exe
1852	service.exe
1888	service.exe
1888	service.exe
1616	service.exe
1616	service.exe
2156	service.exe
2156	service.exe
2640	service.exe
2640	service.exe
1784	service.exe
1784	service.exe
2788	service.exe
2788	service.exe
1588	service.exe
1588	service.exe
1552	service.exe
1552	service.exe
2940	service.exe
2940	service.exe
2496	service.exe
2496	service.exe
1916	service.exe
1916	service.exe
2684	service.exe
2684	service.exe
2996	service.exe
2996	service.exe
2272	service.exe
2272	service.exe
1560	service.exe
1560	service.exe
2136	service.exe
2136	service.exe
1584	service.exe
1584	service.exe
2216	service.exe
2216	service.exe
884	service.exe
884	service.exe
2512	service.exe
2512	service.exe
2120	service.exe
2120	service.exe
2976	service.exe
2976	service.exe
776	service.exe
776	service.exe
1944	service.exe
1944	service.exe

Adds Run key to start application 2 TTPs 47 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\LJNIQEGYWFFOKSJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPGYQMHBBQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HGUBKXTRBWICWYD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYNHAFMWMRJRFQG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WHFJEMBYCUSBBVK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIRNIDCSTQLR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\GKYHHTPNRMUJKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFBVQEL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\BCWTOBXIYDIXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DQMYPSRTFJOCNWN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\PBJASKGBRKLUYKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EVOTMCMGEHXTUCQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFOFXPLGWPAQAPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLYBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\QEQBAYEWVSTFLST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOKNUDPT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\AONHQXIEPIJSWXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMRYKAKEYCFVRS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\OKLWTRVQYMNAFMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTHHIDBIEUHOJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\FESIVRPAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLDJQBCPVMUJTJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HRNIYRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGVTJTNLNDJWVIQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\RVSGSDCGYXUVHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPOQLJQMBPWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXJHLGOCDWUCDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKEETURAB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\NSOCPAXDVUQREJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLLMHFMIYLSC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\KJURQUHLHFVTKJM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HYQMHXQCRBRSPXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSITMKNDIWVHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQUHLHFVTKJLGDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORGAYXFPFKCTKJT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\QVRFSDBGYXTUHMT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASCOOPKIPLAOVF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\FESIWRPAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLEJQCCQVNVJTK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFNEWOKFVOAPYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDSXQGQKILXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\QEQBAYEWVRTFLSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOJNUDPT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWANDRNLQCPRMFJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGELVLQIQEPFB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\VUYLBPLJXOAOQLE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPFXVEYNEJBSJHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEDQGUQNSFSUPIM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCHOYAAOTLTHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\UQERCBFXWSTGMTT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRCONOKIPKANVEP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUSXKAOKHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RTJDBISINFWNBLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MABVSNAWHXCHWXU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KFUSISMKNDIWVHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\JYXFGRXOMQLTHIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PHXGODCDYDUPCKE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\OQLJLBPWFRVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESXJKHPBIMAD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQCKCTLHCSMMWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHFIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\RPTHKGEVTJJLGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOEKCSKIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQMANYVBTXSOPCH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJJKFDKGWJQA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWSGTEDHYUVIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UBTEQPQMKRMCPXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBNWBTXSPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKKLGELHXKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HYQMHXRCSBRSPXK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\QVRFSDCGYXTUHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASCOOPKJPLBOVF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\AWVMDQMKYPBPRMF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKQHYPDOE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MCNPKILAOVEQUFR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKXTCWYMQWCDAJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\REGBBWRFMHLIUQO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOKYXNXQPRDHMAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MIIURPTOVKLDKLT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFFGBGCXSFMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\JWDMWUEALEYFVOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPIOVGGAUBRNYOK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TSEMDVNJEUNOXNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HCYRWPFPJHKWAXF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\JWDMWUEALFGWPST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPIOVGHAUBRNYOK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\OLLWTRVQYMOAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIHJECJEUIPJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TTHIDBEUHOJOKWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JWSAVYXLPUBCIAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\OJHJNUDOTEQBAYE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCQVHHFNGKBM\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2728	reg.exe
2792	reg.exe
2120	reg.exe
2904	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2672	service.exe
Token: SeCreateTokenPrivilege	2672	service.exe
Token: SeAssignPrimaryTokenPrivilege	2672	service.exe
Token: SeLockMemoryPrivilege	2672	service.exe
Token: SeIncreaseQuotaPrivilege	2672	service.exe
Token: SeMachineAccountPrivilege	2672	service.exe
Token: SeTcbPrivilege	2672	service.exe
Token: SeSecurityPrivilege	2672	service.exe
Token: SeTakeOwnershipPrivilege	2672	service.exe
Token: SeLoadDriverPrivilege	2672	service.exe
Token: SeSystemProfilePrivilege	2672	service.exe
Token: SeSystemtimePrivilege	2672	service.exe
Token: SeProfSingleProcessPrivilege	2672	service.exe
Token: SeIncBasePriorityPrivilege	2672	service.exe
Token: SeCreatePagefilePrivilege	2672	service.exe
Token: SeCreatePermanentPrivilege	2672	service.exe
Token: SeBackupPrivilege	2672	service.exe
Token: SeRestorePrivilege	2672	service.exe
Token: SeShutdownPrivilege	2672	service.exe
Token: SeDebugPrivilege	2672	service.exe
Token: SeAuditPrivilege	2672	service.exe
Token: SeSystemEnvironmentPrivilege	2672	service.exe
Token: SeChangeNotifyPrivilege	2672	service.exe
Token: SeRemoteShutdownPrivilege	2672	service.exe
Token: SeUndockPrivilege	2672	service.exe
Token: SeSyncAgentPrivilege	2672	service.exe
Token: SeEnableDelegationPrivilege	2672	service.exe
Token: SeManageVolumePrivilege	2672	service.exe
Token: SeImpersonatePrivilege	2672	service.exe
Token: SeCreateGlobalPrivilege	2672	service.exe
Token: 31	2672	service.exe
Token: 32	2672	service.exe
Token: 33	2672	service.exe
Token: 34	2672	service.exe
Token: 35	2672	service.exe

Suspicious use of SetWindowsHookEx 51 IoCs

pid	Process
2508	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe
2536	service.exe
2828	service.exe
2228	service.exe
2104	service.exe
1480	service.exe
664	service.exe
1852	service.exe
1888	service.exe
1616	service.exe
2156	service.exe
2640	service.exe
1784	service.exe
2788	service.exe
1588	service.exe
1552	service.exe
2940	service.exe
2496	service.exe
1916	service.exe
2684	service.exe
2996	service.exe
2272	service.exe
1560	service.exe
2136	service.exe
1584	service.exe
2216	service.exe
884	service.exe
2512	service.exe
2120	service.exe
2976	service.exe
776	service.exe
1944	service.exe
2424	service.exe
2152	service.exe
1588	service.exe
2016	service.exe
2072	service.exe
2988	service.exe
2780	service.exe
2372	service.exe
1708	service.exe
1792	service.exe
1008	service.exe
2268	service.exe
1540	service.exe
2820	service.exe
3044	service.exe
2676	service.exe
2672	service.exe
2672	service.exe
2672	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2068	2508	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe	30
PID 2508 wrote to memory of 2068	2508	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe	30
PID 2508 wrote to memory of 2068	2508	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe	30
PID 2508 wrote to memory of 2068	2508	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe	30
PID 2068 wrote to memory of 1124	2068	cmd.exe	32
PID 2068 wrote to memory of 1124	2068	cmd.exe	32
PID 2068 wrote to memory of 1124	2068	cmd.exe	32
PID 2068 wrote to memory of 1124	2068	cmd.exe	32
PID 2508 wrote to memory of 2536	2508	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe	33
PID 2508 wrote to memory of 2536	2508	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe	33
PID 2508 wrote to memory of 2536	2508	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe	33
PID 2508 wrote to memory of 2536	2508	1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe	33
PID 2536 wrote to memory of 2156	2536	service.exe	34
PID 2536 wrote to memory of 2156	2536	service.exe	34
PID 2536 wrote to memory of 2156	2536	service.exe	34
PID 2536 wrote to memory of 2156	2536	service.exe	34
PID 2156 wrote to memory of 2700	2156	cmd.exe	36
PID 2156 wrote to memory of 2700	2156	cmd.exe	36
PID 2156 wrote to memory of 2700	2156	cmd.exe	36
PID 2156 wrote to memory of 2700	2156	cmd.exe	36
PID 2536 wrote to memory of 2828	2536	service.exe	37
PID 2536 wrote to memory of 2828	2536	service.exe	37
PID 2536 wrote to memory of 2828	2536	service.exe	37
PID 2536 wrote to memory of 2828	2536	service.exe	37
PID 2828 wrote to memory of 2588	2828	service.exe	38
PID 2828 wrote to memory of 2588	2828	service.exe	38
PID 2828 wrote to memory of 2588	2828	service.exe	38
PID 2828 wrote to memory of 2588	2828	service.exe	38
PID 2588 wrote to memory of 2976	2588	cmd.exe	40
PID 2588 wrote to memory of 2976	2588	cmd.exe	40
PID 2588 wrote to memory of 2976	2588	cmd.exe	40
PID 2588 wrote to memory of 2976	2588	cmd.exe	40
PID 2828 wrote to memory of 2228	2828	service.exe	41
PID 2828 wrote to memory of 2228	2828	service.exe	41
PID 2828 wrote to memory of 2228	2828	service.exe	41
PID 2828 wrote to memory of 2228	2828	service.exe	41
PID 2228 wrote to memory of 2040	2228	service.exe	42
PID 2228 wrote to memory of 2040	2228	service.exe	42
PID 2228 wrote to memory of 2040	2228	service.exe	42
PID 2228 wrote to memory of 2040	2228	service.exe	42
PID 2040 wrote to memory of 692	2040	cmd.exe	44
PID 2040 wrote to memory of 692	2040	cmd.exe	44
PID 2040 wrote to memory of 692	2040	cmd.exe	44
PID 2040 wrote to memory of 692	2040	cmd.exe	44
PID 2228 wrote to memory of 2104	2228	service.exe	45
PID 2228 wrote to memory of 2104	2228	service.exe	45
PID 2228 wrote to memory of 2104	2228	service.exe	45
PID 2228 wrote to memory of 2104	2228	service.exe	45
PID 2104 wrote to memory of 1424	2104	service.exe	46
PID 2104 wrote to memory of 1424	2104	service.exe	46
PID 2104 wrote to memory of 1424	2104	service.exe	46
PID 2104 wrote to memory of 1424	2104	service.exe	46
PID 1424 wrote to memory of 2824	1424	cmd.exe	48
PID 1424 wrote to memory of 2824	1424	cmd.exe	48
PID 1424 wrote to memory of 2824	1424	cmd.exe	48
PID 1424 wrote to memory of 2824	1424	cmd.exe	48
PID 2104 wrote to memory of 1480	2104	service.exe	49
PID 2104 wrote to memory of 1480	2104	service.exe	49
PID 2104 wrote to memory of 1480	2104	service.exe	49
PID 2104 wrote to memory of 1480	2104	service.exe	49
PID 1480 wrote to memory of 860	1480	service.exe	50
PID 1480 wrote to memory of 860	1480	service.exe	50
PID 1480 wrote to memory of 860	1480	service.exe	50
PID 1480 wrote to memory of 860	1480	service.exe	50

C:\Users\Admin\AppData\Local\Temp\1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe
"C:\Users\Admin\AppData\Local\Temp\1110331d12311de8fbe6d326d782075b24754d2f36992ef14196076cf4364553.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempHTQPT.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LJNIQEGYWFFOKSJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1124
- C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe
  "C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempCBFXW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MCNPKILAOVEQUFR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2700
- - C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe
    "C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempSNVJK.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "REGBBWRFMHLIUQO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAL\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAL\service.exe
      "C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAL\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGOCDWUCDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:692
    - - C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2104
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCGHQM.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSXKAOKHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RTJDBISINFWNBLC\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:2824
      - C:\Users\Admin\AppData\Local\Temp\RTJDBISINFWNBLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RTJDBISINFWNBLC\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTMPQV.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HGUBKXTRBWICWYD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAFMWMRJRFQG\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\VYNHAFMWMRJRFQG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VYNHAFMWMRJRFQG\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPYPEN.bat" "
        8⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIIURPTOVKLDKLT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "
        9⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCPAXDVUQREJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNWIOT.bat" "
        10⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFOFXPLGWPAQAPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTYFGD.bat" "
        11⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWUEALEYFVOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPIOVGGAUBRNYOK\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\VPIOVGGAUBRNYOK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPIOVGGAUBRNYOK\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEXXMU.bat" "
        12⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVSTFLST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNJWWI.bat" "
        13⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RPTHKGEVTJJLGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHADEN.bat" "
        14⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KJURQUHLHFVTKJM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYFGDM.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWUEALFGWPST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDPVMJ.bat" "
        16⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABVSNAWHXCHWXU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOPYAT.bat" "
        17⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMANYVBTXSOPCH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQUGEI.bat" "
        18⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HYQMHXQCRBRSPXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIIRMV.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYXFGRXOMQLTHIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGTEDHYUVIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYGOFD.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WHFJEMBYCUSBBVK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNVHNS.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNEWOKFVOAPYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDXWLU.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVRTFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLWTRVQYMOAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPJ\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPJ\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
        25⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQUHLHFVTKJLGDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAYXFPFKCTKJT\service.exe" /f
        26⤵
        Adds Run key to start application
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\ORGAYXFPFKCTKJT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGAYXFPFKCTKJT\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLQCPRMFJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJSOWO.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GKYHHTPNRMUJKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBVQEL\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBVQEL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBVQEL\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMUGNR.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMDVNJEUNOXNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJHPBH.bat" "
        29⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AONHQXIEPIJSWXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe" /f
        30⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRVQXM.bat" "
        30⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTHIDBEUHOJOKWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWRRGP.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKLWTRVQYMNAFMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTHHIDBIEUHOJ\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\UMLTHHIDBIEUHOJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UMLTHHIDBIEUHOJ\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKNOYU.bat" "
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIVRPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGVTJTNLNDJWVIQ\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\KGVTJTNLNDJWVIQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGVTJTNLNDJWVIQ\service.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQYBUU.bat" "
        34⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBNWBTXSPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe" /f
        35⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQWNKP.bat" "
        35⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BCWTOBXIYDIXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJLBPWFRVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKSFLQ.bat" "
        37⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCTLHCSMMWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHFIYUVD\service.exe" /f
        38⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHFIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHFIYUVD\service.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEXXMV.bat" "
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UQERCBFXWSTGMTT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe"
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHIRNB.bat" "
        39⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VUYLBPLJXOAOQLE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNEJBSJHS\service.exe" /f
        40⤵
        Adds Run key to start application
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\MPFXVEYNEJBSJHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNEJBSJHS\service.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OJHJNUDOTEQBAYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVHHFNGKBM\service.exe" /f
        41⤵
        Adds Run key to start application
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\FOYGCQVHHFNGKBM\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOYGCQVHHFNGKBM\service.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUFANW.bat" "
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RVSGSDCGYXUVHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe" /f
        42⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQVGEI.bat" "
        42⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HYQMHXRCSBRSPXK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe" /f
        43⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe"
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNWSFC.bat" "
        43⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQNSFSUPIM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHS\service.exe" /f
        44⤵
        Adds Run key to start application
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHS\service.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUFYYN.bat" "
        44⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVRFSDBGYXTUHMT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLAOVF\service.exe" /f
        45⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLAOVF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLAOVF\service.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUFYYN.bat" "
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVRFSDCGYXTUHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe" /f
        46⤵
        Adds Run key to start application
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKNPYU.bat" "
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIWRPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLEJQCCQVNVJTK\service.exe" /f
        47⤵
        Adds Run key to start application
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\YRLEJQCCQVNVJTK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRLEJQCCQVNVJTK\service.exe"
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJRDKO.bat" "
        47⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PBJASKGBRKLUYKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe" /f
        48⤵
        Adds Run key to start application
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIJSOC.bat" "
        48⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AWVMDQMKYPBPRMF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe" /f
        49⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        51⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe:*:Enabled:Windows Messanger" /f
        50⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe:*:Enabled:Windows Messanger" /f
        51⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        51⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        50⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        51⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempCBFXW.bat

Filesize
163B

MD5
f20461d26095c522b737ec14bee35099

SHA1
e1454237514fb0bbf402b4475db759e02bf43a7d

SHA256
71caf5c939a0e1aa04a5acf0604a0def85b608ec20cd436d0075f0cf1e6b6268

SHA512
313bfbbe4aa78fb27fb11c2cf18edb033d271dd7a0848679983b30ce489c7130a5157aa2ab87b34032c43b4ab824b27b1a634198d78e6f632000d7be1d594028

Download Submit
C:\Users\Admin\AppData\Local\TempCGHQM.bat

Filesize
163B

MD5
2ce2d732e31918e158c1d1d49978d4fe

SHA1
452898f58cbdcf26286cafe797256b9ea6349559

SHA256
8098362e89da9b813c883e03e41f8f5bc1893e1e130a5a3f443a329f0e6c528c

SHA512
18fd7ecbe2fde5600c1001944a4d070386753982f414df2a3a9e95f89765982e433a246e37abde2c647c33678d272175d1031304d458b6f56cd5a17e1cce9cdc

Download Submit
C:\Users\Admin\AppData\Local\TempDPVMJ.bat

Filesize
163B

MD5
65c67f8aab56a1cf5daaae9898947c60

SHA1
39eda13cc51363df86d17f5cd894b18efba2d188

SHA256
a5fd8bd0bb58ffb234eabd41ccf582aff8a6affbc85d744778fe752cb48ea91c

SHA512
fb80be049abeb00c8e5c0c21bb2149205ac0749266edc9fed23f7e072bd6c4b251364745f8d6d2f810e4a6ec3b453c425e3a76e67e3941543b31e0cf9c6fac6d

Download Submit
C:\Users\Admin\AppData\Local\TempDXWLU.bat

Filesize
163B

MD5
dfd4cab5f88961f37b56f920f0a3bb11

SHA1
20ff1258fc401b7bc515f6d7718123bc2fbae639

SHA256
9cd237b7606401f31ec6b1f136480b59cee627b1c57c6aa16c8dcfb01240fe6c

SHA512
2ea225c72ce94447d6a204a98ee8038a03e8d043f81a4f2f66ab930592dd984923e272342a08e2ac08e02b713dd4d948ff931fe8df6646058a71d6ab9f69e06c

Download Submit
C:\Users\Admin\AppData\Local\TempEXXMU.bat

Filesize
163B

MD5
e5de1b650a040f7ed8e3978daabc5c28

SHA1
db4850e5559f3819fac04fdf8f26e3e49236d3ec

SHA256
2b2495ce7a09174320c02e2c2de22fbd6b9a994ee0db0a431f91710d99e1ee1b

SHA512
d6086ff2a215c267d9b1d4107ac792d39dba76cd172f4a4160a90100b70986a8267ef229b8e82deec6e19e62260297de9a2bb8305fbe8e387b493716f5d7ac6f

Download Submit
C:\Users\Admin\AppData\Local\TempEXXMV.bat

Filesize
163B

MD5
9e866f8181a3cf3103041c39bf893cc8

SHA1
10f33e54f4ac23a78b5d61623cc467a171ac9c88

SHA256
b9b06cc28bb1f0e13aaa9a5b971c77809e1ad2e509eb1d6a9710f6fd3c16ffdb

SHA512
e3199afdf57382979ffc830bcf58a65c14f1cccc6e255d763c8b2569af3bf7173105defd84c0a46a26f9bf0085b547a9882ea46f4724c55eb52bff376b05f7ac

Download Submit
C:\Users\Admin\AppData\Local\TempGAOXK.bat

Filesize
163B

MD5
7ed000eed1ab7f3420e001d25a18e2e0

SHA1
c53a4d8d38369ee75f7de08af9704b1032aeba66

SHA256
6f4c0bbe1807412382dfb5ef438f76d25474df51ca65947fc4b6efd98f49a840

SHA512
1ef1d0bd91022d6b1b06eefed48e0adeb5d4d988b65e4fa1819d5ce4d95e56612f73f0ed8f5fd1ef37ed2f354757ccbe0ca1bcbe76196eb265a098741f04a2e0

Download Submit
C:\Users\Admin\AppData\Local\TempGYXTU.bat

Filesize
163B

MD5
077975505ee313d4d0f5595fc6eb7155

SHA1
4744ed31f9d8fd37b77625e24c415c98e78676bc

SHA256
21b75430c8b79e9ff7d13b3fa09f99870a5c47655d6a627624ef09cfe94a269a

SHA512
f4f3f1a0fb493a99b27fadcc00201ff92311563f272eb7ddc1455b7293004feb2f14d9db9cf140e42b473ff136bd725ae952866a07bc9ce899eb98cff0fe7f8e

Download Submit
C:\Users\Admin\AppData\Local\TempHADEN.bat

Filesize
163B

MD5
51a3e1a8e37d65c66a60775322d60ed5

SHA1
3bcac0146869c45fbdbfcfb71050ff19cccecfa2

SHA256
1c2955ebc94cb9160f93ea7fedab48170894efaf70343dac8dbbbc50826ff7cd

SHA512
e3e8125558a8fb1f2bcb4f457eae5be5c662634d2c2bb326ddd2a96c36235b0387a25c850e4bd4c6700154f8e8d1503e3a2d80f541b5d93275e2dd487709e1e7

Download Submit
C:\Users\Admin\AppData\Local\TempHIRNB.bat

Filesize
163B

MD5
247458a2dc9f277b424c7a10be0f73b9

SHA1
62fd3e03ad7d597ca432a04888ddb7fc652684dc

SHA256
9437a5bcd757b9cce657c599e24734839fe3ffe23f145132fe0bb76841d80bd0

SHA512
2282244ad105fb946e60ddb8fd6b60d281e82806ed75699d13d8e9e51917cf1693f611f3e588bfb2626f53a1088323547e28e9a0c96db1275b842dd5706cdd6f

Download Submit
C:\Users\Admin\AppData\Local\TempHTQPT.bat

Filesize
163B

MD5
0da56901eaca0a6d8df21ccfccb344a2

SHA1
25aa578119ec281b4aaf434d4869f4e6395684b2

SHA256
7251a0395033af7fd943080e755a4bc33d2c4b4934287c902b14f0721aacaf7d

SHA512
906c62c81a78bf1c6ddd7e2aace796a4454c0b26c58125c3ede80ffea6b15bfa63cc986f7624db99f7ad9dca864d4f8bafa552bf01692b7e2b1ed3c79237d2cf

Download Submit
C:\Users\Admin\AppData\Local\TempIIRMV.bat

Filesize
163B

MD5
63867f6befd28cc8084b2ff8609979d9

SHA1
83152b34e86b8b3a922c1008d21a9637c4ea05c8

SHA256
d071cb77a5fb51035996048f8754f34ab85c0339005ede3457c5e85cf9ea1bbc

SHA512
ea6de0853de0ba9cf018a976438889a54ece39f6f595455f182448a3362061ee02017ffed53b6667e8a1507c24ef7ac25594b672379b77f0b9318d2444d99396

Download Submit
C:\Users\Admin\AppData\Local\TempIJSOC.bat

Filesize
163B

MD5
21ce12b821a8aa6d204b009041335b2e

SHA1
535a4a0664c1d4532dfe811757efa6adf32f32d7

SHA256
f947e62863d905d7a53818e2dc4641afc2c2ce25f9f092aa51926cf330a473f7

SHA512
6b70a2720ce3b9f088afe6460e4bd0a31985907732ddfb3a136bc3574466dcef56a656c20a936e41dc5594357d0bf1c05e0dec81d3d0001b04551ad74386b1b9

Download Submit
C:\Users\Admin\AppData\Local\TempJHPBH.bat

Filesize
163B

MD5
00b7af44531088a30a6650987a99ac2e

SHA1
7a862f2ac92c365d7aa9372c89dcce37bcf35510

SHA256
31cc9867679c60f20a00e3e5d05d20dc63a7b0e915a1889fb153195164c4fe65

SHA512
d50df0c790741e63dfdb7baa4b59a3133c3f8ab8e699fe34e016d871aab54e3c7947a5693aaed48e19ba4d2ab313c17460d9c6eee5a1c003214a2a3946f2b722

Download Submit
C:\Users\Admin\AppData\Local\TempJRDKO.bat

Filesize
163B

MD5
c84fae6cade4418f510bef53dbaf1202

SHA1
adc0e9b7e978c8a8835ddbbd3a0ccdd21f518bfc

SHA256
242708153ac165985ebed0a13191950afcf8d69f8300d912acc4733f1ae12acd

SHA512
4b9b9a4a9dfdff6b4d27fe3e9a1cd53df4fac54e602699572cec0539b463d621aa782f47a490e46521cd1d754b5c076739105d33785a62ae058799dfa43f8846

Download Submit
C:\Users\Admin\AppData\Local\TempJSOWO.bat

Filesize
163B

MD5
b0db7b0f95e58fb3f219df5a00c15a87

SHA1
e0e8938c85b4e46bbb0540310673f02a64b18fbe

SHA256
9d13398500fccb24e0540bd7b1aecd452e656b6fbc4d5f02b1ac9ae35f27f104

SHA512
b5291a8c6d2486dcb1f971f7aa2b462a03bcaa7c7b6a349fbdd0667cdca2929f39c342b44406a8dc5b7b811fd7b1f3ae8fc885265dc6ccba618f1256af83f091

Download Submit
C:\Users\Admin\AppData\Local\TempKNOYU.bat

Filesize
163B

MD5
f485eb466d124afe4f05082cc3b835ff

SHA1
00bd1a4c37f772616c2e3f6e3fd4c53341e1d523

SHA256
6246d34daef7970b9cab9952ec458e097ce05455408db8ddb3589dab848a9f9f

SHA512
dc0bb4ddbfef6bd302503539ea82d43aa0bd338da0a46a4e63a2701a77e87bb41c6f447ac5504908c900a7f511d6c9e516395b56235c00f56ee2eb5ca12325af

Download Submit
C:\Users\Admin\AppData\Local\TempKNPYU.bat

Filesize
163B

MD5
5c3b4fd463925c94d3deb5bf4fff9718

SHA1
729fa5be0034a7e52a94e3d60053338b6776f12e

SHA256
a43766f8008b2c18f3b7424ae088625e69ff24410df3ba749fb8452ea5edca87

SHA512
7e33fbf49be640a0bcaef0e79bdd1b2221b5379eee29c1ae208be1b3730fe33e219ba07da88ef0067a997bb9528b52799d40efb23e83f9643c9b57842f8015ca

Download Submit
C:\Users\Admin\AppData\Local\TempKSFLQ.bat

Filesize
163B

MD5
9908f25a4b21479670cd8b26e43eebc8

SHA1
d9e8ab8de17e76da16add3ed9ac9ebd723b23a2a

SHA256
a2edaa3bb568e4a0c10822f588e0c3d115c576aa7c125ae8201aefe888866890

SHA512
4675f0d69687376e2a2ae73738115cedac4f929ec5d2d4268aa23e59484710cf7990c9b683772badaa92128ccf0f9f867eff04badab49ed34f8d75fa93f3f2e8

Download Submit
C:\Users\Admin\AppData\Local\TempKTPCO.bat

Filesize
163B

MD5
6924cd32a0a33db2140009298b4b812a

SHA1
6442a9818093e0fb37b9af856fccd6ccaf8a5737

SHA256
aded1d2932822ab8a791a717911af196bcf7715493bbea38730a9c3e64efba9f

SHA512
1761311e8094f56c790d3c2cce5b52d6a9e2410766c596d189e3d9d0a16135ffa36ddc609364fbc1de751497759da17feb2c2ff18c5a47527a4c13190f9fcf4a

Download Submit
C:\Users\Admin\AppData\Local\TempMHQHF.bat

Filesize
163B

MD5
232c1e7640e5bb90c3b381b7fa0d8f0d

SHA1
65170528eab10150fe022229ff1ea4655423481e

SHA256
06462c3273aed69acbd5cec547e264191c71a883c485f5634affd1bccbe2df1f

SHA512
df34e6aa3b4b3a94f97f9c650f333adb48f93065e958a0aeab38ada6229278d00ddc7200ef89bb065947c04c04ea20ed297089c33b10a85511567be70d70b7c9

Download Submit
C:\Users\Admin\AppData\Local\TempMUGNR.bat

Filesize
163B

MD5
739447080a3e22332add31b3d6b14dd4

SHA1
88b1f4b2bb3b85dfc58ccc3dfb90ece8627e3969

SHA256
626b142072fad964a4323fcf63a1baa0088373953747789ef2afe3b33643564b

SHA512
7f2e99cf7b787cac0bb7396a704f826fad3c36066a527e51f55fe6c8c2c6e88e5c7ae4e4ce45f1f4598bc11afec60934f2c453f1c72524e213c67ef67918950d

Download Submit
C:\Users\Admin\AppData\Local\TempNJWWI.bat

Filesize
163B

MD5
324ca6aafb522de26cdf6d67eaccbecc

SHA1
0b73280e142d1e07864dfd6470f2f5d47f738b29

SHA256
248c578e8c7242e3c139471322a6229273a014c7ccc2368a3e3c7cf12e2eadf3

SHA512
8a241085918f596a5eb2674168757b87f4779105dd6dc4ce0c23f55afe33710a2578eaba427c4cfabcddd8a02f6784bdf9dc85a18aaf2a5348518f538e0be946

Download Submit
C:\Users\Admin\AppData\Local\TempNJXWI.bat

Filesize
163B

MD5
dcf2a1dd48508f6873714b016854a2ed

SHA1
42178ba2ce604119a103f23cf75976bcf22601d3

SHA256
7f918d3fda2c9280b33a8db21f89baadeb460e3f0f13d2e8ef712c08754ecbc9

SHA512
5175e360c3b5a610b9a2a22cbe6b41f9ccfa387b60e9f081f4b92cf57d8bf02f0aeffb3c87056837d3a1aa308b660e02c1dfbdfb7ff07e16a7905e2c98c0199e

Download Submit
C:\Users\Admin\AppData\Local\TempNVHNS.bat

Filesize
163B

MD5
65dcb1450b3de3f67453f9bcef548793

SHA1
47dab7dc089379d0f3878167729b72aa27ff5a4a

SHA256
bf72ebd2daaa96247946358ff30ad4bad7264ca4d2ec2e8a87b976d3b0aafa76

SHA512
d6b8ba80f3653bbc51064150367174681632e6411aa42f819bcfd8cb3d291748364d1eeafd7ae15cd70c327f4595a4f7775aff277afebf8b80539fcca26560bc

Download Submit
C:\Users\Admin\AppData\Local\TempNWIOT.bat

Filesize
163B

MD5
3fa377d490e135358ff8715b7130b57c

SHA1
90826df37fef897b8d9b2a225d23b581e87e5e71

SHA256
07652d1b9830b4d5d201dd0a67c88e979c0a47fa940c7cb638286e51b638b7f0

SHA512
cb99c54fc5345e204f70433c41f232e80d8893ee4447f152781f9b7a07b24319ccc47805fc35669ed599fbdce7c0c58ddd70bd6b3b0878716368f0bee0c1b61d

Download Submit
C:\Users\Admin\AppData\Local\TempNWSFC.bat

Filesize
163B

MD5
93838a5f6dd4abad6af30039f0cbfba8

SHA1
ca7503d5f69a306796d1f46f42bf254c647d0bf8

SHA256
4b6c2952d18bcee750b92c9a86e06ee2ad6c493f551e04fd6ab063779f698a10

SHA512
c22cf92e59b7859d772136b396649d2333b1619e13ec723c1a844263e34cdc729767954180ccb0cdeb6610e3417433467bf313cc099c54510f0d7de4b5bb0d12

Download Submit
C:\Users\Admin\AppData\Local\TempOPYAT.bat

Filesize
163B

MD5
4bcca904a941f8d8e580f005b741c70e

SHA1
af3a26eb0bb66219315e4cd7c1d4b8f8a4530258

SHA256
758ddbcc0c4b04ab8f8746bd0379badf35f28728ed12489572bf6e6a19ced52d

SHA512
85df4081ec72ef5ab53c29f84c4a80d53ab65514ed8fa3c74ac7eb02eb17b16042e7f10ebde6f809c57c7c74c039a6067800e68fed11543b7d8a295b5d52de09

Download Submit
C:\Users\Admin\AppData\Local\TempPYPEN.bat

Filesize
163B

MD5
3c86f9fca6e72f3487041385d17af02f

SHA1
1d2933c86ad80c352b05bef3bd23315aa866d364

SHA256
61d8dc5504e877a049a72beadca2329646138a0a3fe296a57d4c4ce8fc2e1b70

SHA512
88c6b3ca0518f7158920d474b10bd35414fc715d8bdca0271f98246cf45015adfc5da84994fbf070767c35d5adbcfc2a8fac09b6947b9b4501c71dff4a711373

Download Submit
C:\Users\Admin\AppData\Local\TempQUGEI.bat

Filesize
163B

MD5
762176b93392d3fa185d87beae5d603a

SHA1
661f80428f4c1d317155659a2063b5454e059ea7

SHA256
d90e1600d1aca150e396b865ba705281910a05f294ec56037f762927bced96ef

SHA512
7570c290aae23c81bcec7ede20e85811e4dd31168dc4f5eb992aff042d4a3ec7ea4687680003cdece0d53c142f6cdeac50f89d29cf28d1c82099be6c50277f97

Download Submit
C:\Users\Admin\AppData\Local\TempQVGEI.bat

Filesize
163B

MD5
9b23d0945c2235796a7507cbe3a50f35

SHA1
c00ee7a67de1706da1bfe60d4686a6d6893a0183

SHA256
75bc426758e3fa1d9b8008f6a22912755ef4e3e1479d3b9a65aa92bc04cc6977

SHA512
1fae5ccd80e6ad24ce2697b1bd7f9d2c148250167514a21d3308b180d250fcceb5d76140d4a073346a9c776b139bb6000b8df48831ce7b85d17a7aece10d98cd

Download Submit
C:\Users\Admin\AppData\Local\TempQWNKP.bat

Filesize
163B

MD5
465865360cd0ba68badf0ccd4980331b

SHA1
e55ab780d6bdbcb4a1cb56eea47a86abd26a8f13

SHA256
13df97d3733d9aa539f1980e8c0995929b9ba0914c344d5aad0e83ea02598e5e

SHA512
7b01180631ec16beeecda3322bac144ef0c1e01ba7295789b59be4981bbf0ae973f95b163af22c349fd3a083a0eb86df4233d391ca1669ee6e08896a2c473863

Download Submit
C:\Users\Admin\AppData\Local\TempQYBUU.bat

Filesize
163B

MD5
91109f752d555e3b0a4fa5c910acd8d2

SHA1
0fa720f6b36860c79a92f2fc2fccf5e9c90561b7

SHA256
c5e81986269650788a5c8cbf355723eb92a6987915d658111604d3b973378106

SHA512
6a02fbba4c8b2220359c77c78469aff0fe38b703d0e38d2078bea8dc2160ab12afaa7064092a02e5444f27529015adbbe925567e8321c385533b6190d1677abf

Download Submit
C:\Users\Admin\AppData\Local\TempRCVVK.bat

Filesize
163B

MD5
ff63d8e96cd28976f42345b2809c73e1

SHA1
e5b172e153c6373f1c4c65550f6b037c2a07577c

SHA256
9fe75f61c2ae4c8c2590dc4a9a6d4e6136427bae61eb2dc9f669768a64981768

SHA512
9132e2fa180702b9b64b1163aeb324d5c73d9f530e62369f23756421adc7fcd7128b6b702993117a697f370e9a494fbaf9f0ea1ae0473dd9f47fe7dbd7c7f306

Download Submit
C:\Users\Admin\AppData\Local\TempRVQXM.bat

Filesize
163B

MD5
c77c45252711b8c57a85bd15dd837d11

SHA1
4f2bbc1a53a9f029a96036987f6921cf1afcedc8

SHA256
27e6d61132f14fde7f4cb0b6abadf9db1fc94ee3cd8a70e4f93c62b1fed520a2

SHA512
6304e16d425b616db4bd39289b6e7ab5a912df5e801908e64f6e02b918a9ada626c80b509b647395d3018f7cba138529b0f2513b93bea36eed6b5b7a9dd23b20

Download Submit
C:\Users\Admin\AppData\Local\TempSNVJK.bat

Filesize
163B

MD5
94c5ad15ebbeeb12e62bad8d352806a5

SHA1
e68481fc6d437a86ad328edeaecd6ec7f7bd2384

SHA256
49d08a11114f94e7da2c4a7c239f73ac9de645385a0372d4b9995b5db59ea1d0

SHA512
6fe9603793fce84b394193e729628f8931b2be7999ca04e0e875ca2b2e2295853b819f9f93a9980bd7303247b986b30a383e94cb7ca0f235ed1ec7613ac2e915

Download Submit
C:\Users\Admin\AppData\Local\TempTMPQV.bat

Filesize
163B

MD5
ed0ff4dde2e3a480d639dfae1ad75470

SHA1
f594018b11376d5651ab662e3aa86667321aedae

SHA256
6c0077d69e732806bcf68510c604637c5298ffb60b4b1358337cf3c21fd2902a

SHA512
56c54c1b6563a3870aa61bbe0217e8372cfbd4910651c7e292e4297fe1752c7b7fab73f381a2d0c559702f1b495102ca7b7b4c846d3bd577332ea32cbad58511

Download Submit
C:\Users\Admin\AppData\Local\TempTYFGD.bat

Filesize
163B

MD5
d448861b2ebdc834e29ecc8eb1ae5ced

SHA1
1e01c78e14745a6667cfb6b213ee51c5da8be522

SHA256
ff9f3b7ddebc4212611a98ab885f3b921cf6611b3ac69021bd8e729c5975595e

SHA512
ab3406c4fcc00b5f38d80df4147be1b2dc4799cde9ca70263a513ad45eee7ac78b45b2d20551474ddbcbd39ddd073dfbaf525f42eee6fa477a6493adef75bcb7

Download Submit
C:\Users\Admin\AppData\Local\TempUFANW.bat

Filesize
163B

MD5
fe5d4ee7b49b20431a910d565c5f9b9c

SHA1
d73a6dd3a7d59b7fef87d81cb2f048dbf92535f3

SHA256
52e8d88a6ffda3384fbfe8cd9e9b3a5a93548d14473452b6fe88443ea3c04736

SHA512
f41eb2dbbd558429f606bc59d02f205933bf54f5a2453d880dd1a12819fc91f55c47bea6bcdf81dccee60f5cf79294bfc82b8b58a727e8006b7e75737a4ae99a

Download Submit
C:\Users\Admin\AppData\Local\TempUFYYN.bat

Filesize
163B

MD5
4d00ab22c8080818168e7186eb62f99d

SHA1
cccbdb566e279a04dcc0f1c002e79917f94d3e90

SHA256
ae988d4be67d8dbd236d32ea6a60c631a617bc8fcd94d69373a008357c486c82

SHA512
349840b0282a0b5b3d07193c743f49a111fbfbe031ab089adb98704e6857bbd9ac8e0541e24354841262bb2cd8edcd9d6e8b73b451c1b53d2ee5497af391819f

Download Submit
C:\Users\Admin\AppData\Local\TempUFYYN.bat

Filesize
163B

MD5
b6eac8372d1f99d11f4ee17470920a3c

SHA1
5e5550580872ab274638e4f754ef29ddb72a77fa

SHA256
d12770eee6818f8a2d60a1f18c5c13fda3bfa8396b3f2233724934f8ec5c7763

SHA512
9f432fc06979df2437634c32f225bacd61ff0f926b49caa9410ff06dc6a3b9da6e8d1992d36c899d9c8817038b2250218261e13b652cbebba53c484af4c04503

Download Submit
C:\Users\Admin\AppData\Local\TempVHFJE.bat

Filesize
163B

MD5
c08a4971db5477df23113e829b8b294f

SHA1
41c06f778dac5cffc7e60ed6d2e4ab5dbafe964b

SHA256
1dca5ecbbfc1351460bc111362c13c138f502aa83db487d81222c00ea76b3896

SHA512
9a2cfcb0c72d33e93454f87770b34a65f730899d2c4efe083b089fb47cbf4d3e91f8b17ae1e4563eb9d6d042ab759141d78af1885fa9010df989bbd6a7b75d28

Download Submit
C:\Users\Admin\AppData\Local\TempWRRGP.bat

Filesize
163B

MD5
590ad4f453a3e84e4a7a65c64ff6dc47

SHA1
62400bebd48dbd2127b9bebe3db4765965f0af61

SHA256
9a3d873cd43662e2043532234c3bd44569db92c24b30e2694c39dc9d3c93559a

SHA512
78ca8d933e3706fe50224046e5345836ed41398d4989260d314bd6bdf4447f8ebfb226d6cf19feeb87bb109b97a4816292ed34ca6a71bfbc0a70360beb3cf2be

Download Submit
C:\Users\Admin\AppData\Local\TempWSRGP.bat

Filesize
163B

MD5
05201fbfb01f0681865962a14a4271b2

SHA1
f899a90ca4fa072e0f01fb14d98b34963b66d291

SHA256
ca3845ed8250fc099c3d9a147a1b197db92f32c1d6a4a3038f85fd24af646468

SHA512
78a4c0d65adf8ffd49ce4f61fd10efaab406d76eefb5388a8fa47572dc1d615b7eff2f3d870c771b28d637ca895549bf380707cfd61268dedd1204f19a55faac

Download Submit
C:\Users\Admin\AppData\Local\TempWVRSS.bat

Filesize
163B

MD5
ded3c38f382d017e98ce088c506edee0

SHA1
1a65a0bc027dfe0c4aa4bfb7f04c4f3357633804

SHA256
a048547fda8dd55721ed75dedc35683603d7ddbccec7e8b679cc92bf735ed105

SHA512
4127194d220bcbdb64c44e98adfca9e34d98815f6e3dacddea7efdcd83bb5fc154444fdccdeb276ba83eff9e407bd5e90f57ab6b47eb0275839c756dd84fc8db

Download Submit
C:\Users\Admin\AppData\Local\TempYFGDM.bat

Filesize
163B

MD5
ae2b80ec322acc6a3a92946b6017b9b2

SHA1
df6d13bde6c449353f44fef2a2ee64117504e7b8

SHA256
40baf497022d6b4a4b5aab79809cfe0e6cc012491fabd0beff85cf55ee2495cf

SHA512
ea3175e8f20c417250ebc64d9ba7ff6f9092ea1cfcc598a93f2a58de8329d98c649d47bf2a8b4a85a834d9fe222e56f993b245cd9a89cac10a8cad028b9200f0

Download Submit
C:\Users\Admin\AppData\Local\TempYGOFD.bat

Filesize
163B

MD5
4b6b4213a6274deff4ca98e7bb0fd4ab

SHA1
ad0b1b25e8b71b3c14c40e8a064d72aa88e3e6a4

SHA256
b60d1d001ef0e51c969f6f40e26bed2b518e09345230e104370aecd4a1c5b7b7

SHA512
b490f77f739a0d4e8f2a3f37a68e67c133a44ce9191343044910f23f8add242c4e9e2d5f6924e501a1058c71bc04b21f9fa18cd5ce3ef734be68d4bddf90a1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe

Filesize
520KB

MD5
d8963680928db13a60988beb0a0cca81

SHA1
b229edfb17d84daa44d737d4b26ab16ebbbeefee

SHA256
25c54926fb0ea1142f6123cbe795b7227e08e6250cb2c4f6f6c77185e7290d65

SHA512
bbd2307d4fc2b4c7ab2e30292cc8ea7775097bd927ac3365232e36f4936a077147d016df50a7c7a08a0ace077414cf96d94f29530af8f8ce538a09d77c4c6985

Download Submit
C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe

Filesize
520KB

MD5
d188137130367edf5b92dde6b28f18d1

SHA1
8e192470674c1c2d9c33e2042d336b36a61feb21

SHA256
e72b1f390ec252b6940022471bc43c59dce6c4a6a058565b878241b047ee8dfc

SHA512
35decfe5deed41986c646fd5ab7fb3405f3b7cc66d864f6260e359cf9339af398a81e39daa504d0218c57195ed61f31dd760962a9428270055c23274823d16d7

Download Submit
\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe

Filesize
520KB

MD5
772f089fee7bb0c04f99ef1f55acb76a

SHA1
357bede514138a0fc24fd7b4f67f8c123d94017c

SHA256
0c4ed90bb661510e74ec8456adde22ada9fb82fa23fe365b7ea7f6adc27cfd64

SHA512
1101ddb79aabf3e399c7ac4ca485e979547a27865be63bbc52d2cf2a15a5e9801974ca56788606e648dc2c4838f13fe6c6dd4ca4f831303068520e80e64a9994

Download Submit
\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAL\service.exe

Filesize
520KB

MD5
3e08a151ab80e9bbd00f0de42540cc33

SHA1
6b99dd903dfaf9e6d72f6f86b3ebdbd5f1289578

SHA256
af95ac6be77f6f0afbb592ebc0a6f3441e3d76aec17ff9f52c3939e425aa2eca

SHA512
1281a0a90672f0437541000a5f42ce52751da8d0393ac809be4e8d9d4cf2cfd88bd9f96bd20fad6eb039152fca5afda7871de0ccc132fd6e33b86377312ab62e

Download Submit
\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe

Filesize
520KB

MD5
deac7b56309642a9686a7ccceead8e3d

SHA1
1455e44ecec740ebcc75fdd38f95143f8058b3e5

SHA256
4c5151dd73c2b348c129bb13e2449eb50cda8efa2decebdc449daae3f5ab36ef

SHA512
170edcb7b30077a09a8bcfa43a3faff04b32e2b03f81648aa682a44d02e077dc2ef608f2d9df38da19d2e7f138701a861f9fec9cc95d297176d7eee163cf7dd7

Download Submit
\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe

Filesize
520KB

MD5
44c7f53d6aacfe12abfe21e68ebf96ab

SHA1
9a03cf75bceae6c7c8e37e6121055c92a393a727

SHA256
fc4525a0f21558391d2da9d0c377de9bad733d3eb7814bf0e282db06744c0fe7

SHA512
a543caaa19b32dd5ca5ad81fb92305ec9236c697c60f0609cbd957063133736de40f7e2dc8c1ab171a300a692d67818b825620a08c6073c67a0b8a9b9a865d67

Download Submit
\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe

Filesize
520KB

MD5
59fd723ec7c9910c4702a540cd887aa9

SHA1
8ae55e63097d91fb85e19002eeed51476090f6a7

SHA256
7e78ca6153f4972e291b0275a01ee3e21d963157dcc4b724da3a5f41dd07edbb

SHA512
f456d33f90fce4593331a2e0a78968ec01168f064323a4310ee99ce03db3b22f0cb907a78d792883e2e0369813586da31025d86927f96946181c51cd728a2ab2

Download Submit
\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe

Filesize
520KB

MD5
dc8a865317dbcb6dc3050bca7da7f797

SHA1
6c2a2b9881fb72531afdaaeca640f336db97e62e

SHA256
dc8fe7d4eebe33b406bbbd9ac3552bfc7116b4c12e5e38fbbed82d723bca98f8

SHA512
f955cc8f90e97b326dde7e75e792898bf4b01d1482fa9a19c2107763121991aa5cd80708515dba94a187a184c864ae0457b1f3f9f0161535998f8eedc5f3415d

Download Submit
\Users\Admin\AppData\Local\Temp\RTJDBISINFWNBLC\service.exe

Filesize
520KB

MD5
dbb7cdb57253def02a9f034b622520c1

SHA1
6e47da2828fb0d3bc0825d3c34bad0e5263bbf20

SHA256
e41b59f67be0cacd7f21e2b7ff674bf50c81fc870aa73a6d8b5386abf2593e82

SHA512
b542d429c25665161c5002394065cc5e84ceb06eeebab5bd04db5e21161850420ebafc9d9f834f55d25deca63563bbbc13b578ea04f8c8ceb89c1ddac8738cfe

Download Submit
\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe

Filesize
520KB

MD5
8517b55e15662b7a3b40f100d4e27eba

SHA1
9bff96f5634968e984d12bd902e4ac5d8d75c235

SHA256
7517e964bd2ea6819a7f4ffd5c5da010bf4a3f605e749ee2e3d050cf827bb169

SHA512
629e4a59e3bae7bc81737a59787b6d95ad593e96d154cbac3ba213de5827c96874a887d9de74acd8080cb8ff54d3f13cf9c6bdd95f6cbef57ef7a88689c865da

Download Submit
\Users\Admin\AppData\Local\Temp\VPIOVGGAUBRNYOK\service.exe

Filesize
520KB

MD5
5911cefbbff8fe0ef5fe403aff6ee257

SHA1
d792e3d592f53d0828497f79dda019da44b2b3ff

SHA256
59a915e88d261ab87f9f2e8a0e193c5312708809aae7b69a6b5f2c76949f6a48

SHA512
33eb50f72784a05e18fbe8d0fed33d487b9aa932880225de3201f22d3d6cd17a1048fa5bfafadf647c604e16492e4ecab1032f2ded1b943d2ca18915a7040b34

Download Submit
\Users\Admin\AppData\Local\Temp\VYNHAFMWMRJRFQG\service.exe

Filesize
520KB

MD5
bb270a4eb0686d25640cc7d18180b1bb

SHA1
24d7eb76dec87f4178f43d1649b5c64bc02d2b74

SHA256
0c2491880efb9c4fe941695c85d1afc20ec40f60f5ef650c885bf6c5b8c0918a

SHA512
2aac2e85e45791547016ecec40ba2b116176a132a25a178dae5a1ad07613ec42e08c3b65cdcefdcd43b7900601a82cc96f7172c9e127aaf915ed4676bd9a1669

Download Submit
\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe

Filesize
520KB

MD5
1a07a9027d81b590459f5e89708db1c5

SHA1
18710b1513923df9eddee7380ae083f5cb0871a0

SHA256
00dd95d9f88b3ef6eab836e66b4786e254ffa5ca75b9cd755dbcaef9b0c89868

SHA512
02f9f6227d899d44fbcc962927963f823e4d6fa4da47f57bf11ae250af1a50d16b87e90ae54fcc66b6f907811fcbcac4735f38045b4a66fb45f59b8ed3ea01c1

Download Submit
memory/548-703-0x0000000076F40000-0x000000007703A000-memory.dmp

Filesize
1000KB

Download
memory/548-702-0x0000000076E20000-0x0000000076F3F000-memory.dmp

Filesize
1.1MB

Download
memory/2672-1197-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2672-1202-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2672-1203-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2672-1205-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2672-1206-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2672-1207-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads