Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23/02/2025, 21:58

General

  • Target

    35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe

  • Size

    520KB

  • MD5

    0ef061308ce5237b1c4feb5ec4895e90

  • SHA1

    e8a728ead1cc3c2d931c6fc21ccd89fba5f0f220

  • SHA256

    35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6

  • SHA512

    79f5484feb40243edf020b3db170034a234e630634eba84f65828bb52d3722fa16de1ef7c0ab43ec21d5471f28525de9fdf23e61a61e6c92bf6f6d3847646760

  • SSDEEP

    12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXy:zW6ncoyqOp6IsTl/mXy

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 7 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Executes dropped EXE 45 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 44 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe
    "C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempIXYVF.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OCNWNBCXTOBXIYD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2544
    • C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe
      "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\TempURWRY.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GUUIJECFVIPKPLX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe" /f
          4⤵
          • Adds Run key to start application
          PID:2832
      • C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe
        "C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1228
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\TempQLTHI.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2332
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CEYUPDKFJXGSYOM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe" /f
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:3052
        • C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe
          "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:552
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1484
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QOTGKGDUSIIKFCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe" /f
              6⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:2828
          • C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe
            "C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:308
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1380
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJILGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe" /f
                7⤵
                • Adds Run key to start application
                PID:2280
            • C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe
              "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2288
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\TempELGLY.bat" "
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2108
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UWIMRFCQQEFABWR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JLXXBYTSAYUKXAF\service.exe" /f
                  8⤵
                  • Adds Run key to start application
                  • System Location Discovery: System Language Discovery
                  PID:2476
              • C:\Users\Admin\AppData\Local\Temp\JLXXBYTSAYUKXAF\service.exe
                "C:\Users\Admin\AppData\Local\Temp\JLXXBYTSAYUKXAF\service.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:2264
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ""C:\Users\Admin\AppData\Local\TempEDHYU.bat" "
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1820
                  • C:\Windows\SysWOW64\reg.exe
                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BEPQMKMCPXGRWHT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe" /f
                    9⤵
                    • Adds Run key to start application
                    PID:2580
                • C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe
                  "C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe"
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of SetWindowsHookEx
                  PID:1696
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ""C:\Users\Admin\AppData\Local\TempSDWWL.bat" "
                    9⤵
                      PID:2512
                      • C:\Windows\SysWOW64\reg.exe
                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe" /f
                        10⤵
                        • Adds Run key to start application
                        PID:1800
                    • C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe
                      "C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe"
                      9⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetWindowsHookEx
                      PID:2364
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c ""C:\Users\Admin\AppData\Local\TempDXWLU.bat" "
                        10⤵
                        • System Location Discovery: System Language Discovery
                        PID:1608
                        • C:\Windows\SysWOW64\reg.exe
                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVRSFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RRBNMNJHOJNUDOT\service.exe" /f
                          11⤵
                          • Adds Run key to start application
                          • System Location Discovery: System Language Discovery
                          PID:2540
                      • C:\Users\Admin\AppData\Local\Temp\RRBNMNJHOJNUDOT\service.exe
                        "C:\Users\Admin\AppData\Local\Temp\RRBNMNJHOJNUDOT\service.exe"
                        10⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:2948
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c ""C:\Users\Admin\AppData\Local\TempYWFGO.bat" "
                          11⤵
                          • System Location Discovery: System Language Discovery
                          PID:2840
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDDPVMJNIQFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe" /f
                            12⤵
                            • Adds Run key to start application
                            • System Location Discovery: System Language Discovery
                            PID:2836
                        • C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe
                          "C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe"
                          11⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:2604
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c ""C:\Users\Admin\AppData\Local\TempUBXXR.bat" "
                            12⤵
                              PID:2592
                              • C:\Windows\SysWOW64\reg.exe
                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WVRTFLSSDXWLUHG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAL\service.exe" /f
                                13⤵
                                • Adds Run key to start application
                                PID:2716
                            • C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAL\service.exe
                              "C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAL\service.exe"
                              12⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of SetWindowsHookEx
                              PID:2176
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c ""C:\Users\Admin\AppData\Local\TempKSEKP.bat" "
                                13⤵
                                • System Location Discovery: System Language Discovery
                                PID:3060
                                • C:\Windows\SysWOW64\reg.exe
                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKBTLHCSLMVLM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe" /f
                                  14⤵
                                  • Adds Run key to start application
                                  • System Location Discovery: System Language Discovery
                                  PID:1368
                              • C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe
                                "C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe"
                                13⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Suspicious use of SetWindowsHookEx
                                PID:908
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c ""C:\Users\Admin\AppData\Local\TempWALYJ.bat" "
                                  14⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:756
                                  • C:\Windows\SysWOW64\reg.exe
                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ECGBIUVQPRHUCLC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe" /f
                                    15⤵
                                    • Adds Run key to start application
                                    PID:2104
                                • C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe
                                  "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe"
                                  14⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Suspicious use of SetWindowsHookEx
                                  PID:2088
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
                                    15⤵
                                      PID:2140
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HVCLYUSDXKDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYPXMWMI\service.exe" /f
                                        16⤵
                                        • Adds Run key to start application
                                        PID:1640
                                    • C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYPXMWMI\service.exe
                                      "C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYPXMWMI\service.exe"
                                      15⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2100
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c ""C:\Users\Admin\AppData\Local\TempXGGPK.bat" "
                                        16⤵
                                          PID:2028
                                          • C:\Windows\SysWOW64\reg.exe
                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXVDEPWMKOJRFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe" /f
                                            17⤵
                                            • Adds Run key to start application
                                            • System Location Discovery: System Language Discovery
                                            PID:952
                                        • C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe
                                          "C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe"
                                          16⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Suspicious use of SetWindowsHookEx
                                          PID:2348
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /c ""C:\Users\Admin\AppData\Local\TempAHHQM.bat" "
                                            17⤵
                                              PID:1616
                                              • C:\Windows\SysWOW64\reg.exe
                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IYWFFRXNLPKSGIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe" /f
                                                18⤵
                                                • Adds Run key to start application
                                                PID:2452
                                            • C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe
                                              "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe"
                                              17⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Suspicious use of SetWindowsHookEx
                                              PID:2072
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c ""C:\Users\Admin\AppData\Local\TempKXFOF.bat" "
                                                18⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:1696
                                                • C:\Windows\SysWOW64\reg.exe
                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBYUSBBU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe" /f
                                                  19⤵
                                                  • Adds Run key to start application
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2212
                                              • C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe
                                                "C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe"
                                                18⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of SetWindowsHookEx
                                                PID:1612
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd /c ""C:\Users\Admin\AppData\Local\TempYFGDM.bat" "
                                                  19⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2256
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXENWUEBLFGWPST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe" /f
                                                    20⤵
                                                    • Adds Run key to start application
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2364
                                                • C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe"
                                                  19⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:2740
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    cmd /c ""C:\Users\Admin\AppData\Local\TempFGDME.bat" "
                                                    20⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2728
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXENWUFBMFGWPSU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPK\service.exe" /f
                                                      21⤵
                                                      • Adds Run key to start application
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2400
                                                  • C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPK\service.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPK\service.exe"
                                                    20⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:2908
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd /c ""C:\Users\Admin\AppData\Local\TempLOPUB.bat" "
                                                      21⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:3056
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FTAJWSQAVHBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe" /f
                                                        22⤵
                                                        • Adds Run key to start application
                                                        PID:560
                                                    • C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe"
                                                      21⤵
                                                      • Executes dropped EXE
                                                      • Loads dropped DLL
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:2848
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        cmd /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
                                                        22⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:3060
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJCWDUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f
                                                          23⤵
                                                          • Adds Run key to start application
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2656
                                                      • C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"
                                                        22⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:1108
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          cmd /c ""C:\Users\Admin\AppData\Local\TempYGHQL.bat" "
                                                          23⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:1548
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IXYVEEQWNLPKRGH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe" /f
                                                            24⤵
                                                            • Adds Run key to start application
                                                            PID:2032
                                                        • C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe"
                                                          23⤵
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:1160
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            cmd /c ""C:\Users\Admin\AppData\Local\TempJBDRM.bat" "
                                                            24⤵
                                                              PID:996
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUVJVHFJXYALQXY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe" /f
                                                                25⤵
                                                                • Adds Run key to start application
                                                                • System Location Discovery: System Language Discovery
                                                                PID:1016
                                                            • C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe"
                                                              24⤵
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2476
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                cmd /c ""C:\Users\Admin\AppData\Local\TempKYGOF.bat" "
                                                                25⤵
                                                                  PID:1100
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWHFJEMAXCUSBBV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYK\service.exe" /f
                                                                    26⤵
                                                                    • Adds Run key to start application
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:952
                                                                • C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYK\service.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYK\service.exe"
                                                                  25⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:1052
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    cmd /c ""C:\Users\Admin\AppData\Local\TempMNWSA.bat" "
                                                                    26⤵
                                                                      PID:892
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe" /f
                                                                        27⤵
                                                                        • Adds Run key to start application
                                                                        PID:1768
                                                                    • C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe"
                                                                      26⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:2204
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        cmd /c ""C:\Users\Admin\AppData\Local\TempBRKNO.bat" "
                                                                        27⤵
                                                                          PID:2512
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TJFESIVRPAUHAUW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNMUJIJEDJFVIQK\service.exe" /f
                                                                            28⤵
                                                                            • Adds Run key to start application
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1652
                                                                        • C:\Users\Admin\AppData\Local\Temp\VNMUJIJEDJFVIQK\service.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\VNMUJIJEDJFVIQK\service.exe"
                                                                          27⤵
                                                                          • Executes dropped EXE
                                                                          • Loads dropped DLL
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:1292
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "
                                                                            28⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1384
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIIKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe" /f
                                                                              29⤵
                                                                              • Adds Run key to start application
                                                                              PID:1936
                                                                          • C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe"
                                                                            28⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:1692
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
                                                                              29⤵
                                                                                PID:1612
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETURAB\service.exe" /f
                                                                                  30⤵
                                                                                  • Adds Run key to start application
                                                                                  PID:2972
                                                                              • C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETURAB\service.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETURAB\service.exe"
                                                                                29⤵
                                                                                • Executes dropped EXE
                                                                                • Loads dropped DLL
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:2508
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  cmd /c ""C:\Users\Admin\AppData\Local\TempGHENF.bat" "
                                                                                  30⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:2764
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYFOXVFCNGHXQTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe" /f
                                                                                    31⤵
                                                                                    • Adds Run key to start application
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:2592
                                                                                • C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe"
                                                                                  30⤵
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:2804
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    cmd /c ""C:\Users\Admin\AppData\Local\TempEHISN.bat" "
                                                                                    31⤵
                                                                                      PID:2880
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YVUYMCPLJYOAOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe" /f
                                                                                        32⤵
                                                                                        • Adds Run key to start application
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:1480
                                                                                    • C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe"
                                                                                      31⤵
                                                                                      • Executes dropped EXE
                                                                                      • Loads dropped DLL
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:1484
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        cmd /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "
                                                                                        32⤵
                                                                                          PID:3044
                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVANDRMKPCPRMFI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWMGELULQIQEOFA\service.exe" /f
                                                                                            33⤵
                                                                                            • Adds Run key to start application
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:2928
                                                                                        • C:\Users\Admin\AppData\Local\Temp\TWMGELULQIQEOFA\service.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\TWMGELULQIQEOFA\service.exe"
                                                                                          32⤵
                                                                                          • Executes dropped EXE
                                                                                          • Loads dropped DLL
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:1448
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            cmd /c ""C:\Users\Admin\AppData\Local\TempUYKIM.bat" "
                                                                                            33⤵
                                                                                              PID:852
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAUQLUGVAFVWTCN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe" /f
                                                                                                34⤵
                                                                                                • Adds Run key to start application
                                                                                                PID:2780
                                                                                            • C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe"
                                                                                              33⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                              PID:2148
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                cmd /c ""C:\Users\Admin\AppData\Local\TempACESA.bat" "
                                                                                                34⤵
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:1160
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVWKWIGKYCMRYKA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe" /f
                                                                                                  35⤵
                                                                                                  • Adds Run key to start application
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:2228
                                                                                              • C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe"
                                                                                                34⤵
                                                                                                • Executes dropped EXE
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:956
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  cmd /c ""C:\Users\Admin\AppData\Local\TempURVQY.bat" "
                                                                                                  35⤵
                                                                                                    PID:296
                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GUUIJECFVIPKPLX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe" /f
                                                                                                      36⤵
                                                                                                      • Adds Run key to start application
                                                                                                      PID:448
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe"
                                                                                                    35⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                    PID:1928
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
                                                                                                      36⤵
                                                                                                        PID:2128
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJECFVIPKPMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQVCDAJB\service.exe" /f
                                                                                                          37⤵
                                                                                                          • Adds Run key to start application
                                                                                                          PID:864
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQVCDAJB\service.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQVCDAJB\service.exe"
                                                                                                        36⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                        PID:1656
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
                                                                                                          37⤵
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:2180
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe" /f
                                                                                                            38⤵
                                                                                                            • Adds Run key to start application
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:1580
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe"
                                                                                                          37⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                          PID:1608
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            cmd /c ""C:\Users\Admin\AppData\Local\TempAHVDR.bat" "
                                                                                                            38⤵
                                                                                                              PID:1932
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNLJOBFAPUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe" /f
                                                                                                                39⤵
                                                                                                                • Adds Run key to start application
                                                                                                                PID:2932
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe"
                                                                                                              38⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:2688
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                cmd /c ""C:\Users\Admin\AppData\Local\TempKIQCJ.bat" "
                                                                                                                39⤵
                                                                                                                  PID:2812
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIRYJFAQJKTXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f
                                                                                                                    40⤵
                                                                                                                    • Adds Run key to start application
                                                                                                                    PID:2220
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"
                                                                                                                  39⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                  PID:2868
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    cmd /c ""C:\Users\Admin\AppData\Local\TempSYEFC.bat" "
                                                                                                                    40⤵
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:496
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WDMVTEAYLEYFVOR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXNJI\service.exe" /f
                                                                                                                      41⤵
                                                                                                                      • Adds Run key to start application
                                                                                                                      PID:2672
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXNJI\service.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXNJI\service.exe"
                                                                                                                    40⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                    PID:2880
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      cmd /c ""C:\Users\Admin\AppData\Local\TempNWSFC.bat" "
                                                                                                                      41⤵
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:2936
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOSFSUPIM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHS\service.exe" /f
                                                                                                                        42⤵
                                                                                                                        • Adds Run key to start application
                                                                                                                        PID:292
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHS\service.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHS\service.exe"
                                                                                                                      41⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                      PID:2176
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        cmd /c ""C:\Users\Admin\AppData\Local\TempEIYWF.bat" "
                                                                                                                        42⤵
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:696
                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KPCAOWOBDXTOCYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe" /f
                                                                                                                          43⤵
                                                                                                                          • Adds Run key to start application
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:2912
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe"
                                                                                                                        42⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                        PID:484
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          cmd /c ""C:\Users\Admin\AppData\Local\TempYTRAA.bat" "
                                                                                                                          43⤵
                                                                                                                            PID:908
                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BRRPXJQUGEIDLWA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe" /f
                                                                                                                              44⤵
                                                                                                                              • Adds Run key to start application
                                                                                                                              PID:792
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe"
                                                                                                                            43⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                            PID:1056
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              cmd /c ""C:\Users\Admin\AppData\Local\TempULJNI.bat" "
                                                                                                                              44⤵
                                                                                                                                PID:1316
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAVRMVGWBGVWTDO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKXNXRPRDHNAMU\service.exe" /f
                                                                                                                                  45⤵
                                                                                                                                  • Adds Run key to start application
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:708
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\BOKXNXRPRDHNAMU\service.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\BOKXNXRPRDHNAMU\service.exe"
                                                                                                                                44⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                PID:2988
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  cmd /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "
                                                                                                                                  45⤵
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:2208
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPFTPMRERTOHL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe" /f
                                                                                                                                    46⤵
                                                                                                                                    • Adds Run key to start application
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:2100
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe
                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe"
                                                                                                                                  45⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                  PID:2532
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe
                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe
                                                                                                                                    46⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                    PID:1820
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                      47⤵
                                                                                                                                        PID:2512
                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                          48⤵
                                                                                                                                          • Modifies firewall policy service
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          • Modifies registry key
                                                                                                                                          PID:2180
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                        47⤵
                                                                                                                                          PID:2076
                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                            48⤵
                                                                                                                                            • Modifies firewall policy service
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            • Modifies registry key
                                                                                                                                            PID:1660
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                          47⤵
                                                                                                                                            PID:1928
                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                              48⤵
                                                                                                                                              • Modifies firewall policy service
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              • Modifies registry key
                                                                                                                                              PID:1808
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                            47⤵
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:2164
                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                              48⤵
                                                                                                                                              • Modifies firewall policy service
                                                                                                                                              • Modifies registry key
                                                                                                                                              PID:1936

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\TempACESA.bat

                                                Filesize

                                                163B

                                                MD5

                                                c6dadd9daa4f7839b639405d6c0aa376

                                                SHA1

                                                32622e34687bedd75b616bcb03689ec3878b6d8c

                                                SHA256

                                                3d80e6c36247c550ed9a5d8a98864bea7a158176df8af3b06125d1866ec5eb41

                                                SHA512

                                                6b2d45c53d65da5d58ea7cac29a4c8c08c77c8d510fe1b29568ed41c59205a4a257a229d0130d60fc01db033348de17126ef3f0f4c70cda74c07d5df1942e26e

                                              • C:\Users\Admin\AppData\Local\TempAHHQM.bat

                                                Filesize

                                                163B

                                                MD5

                                                2209abe4b63a1e93e6305f5346e5333f

                                                SHA1

                                                dc56b6707f03200627ee56c4994b6cd16097c5fc

                                                SHA256

                                                0b4804c5db5273431f94ae6ee3c0ab61689d9d8f7d52ff99da2e91a0a01245fc

                                                SHA512

                                                ab80612b70e0395ff6ffff10a8fbf91a27b95f53a53221e2d4c12b70b8cd9f93e0fb9d9b215367ebe38fc843299ba66c29be65d824edae3a0a277ccdece3ca14

                                              • C:\Users\Admin\AppData\Local\TempAHVDR.bat

                                                Filesize

                                                163B

                                                MD5

                                                15e1372867e970b91375effe5a748248

                                                SHA1

                                                9ac65450525aa421316ffc5681c15c16ea0c819a

                                                SHA256

                                                ad09311768152098e3f821d65e6d3eb60a0582382cbb731537932b514445ba48

                                                SHA512

                                                26399d87b8a7219acf7bf7f3111acb95781cef6453388b1b75f3392e2caf63c2700e54d0a0f64227a57d0aa8f8f9f8dc5b170a81945a18e73010f89cdbc35d66

                                              • C:\Users\Admin\AppData\Local\TempBRKNO.bat

                                                Filesize

                                                163B

                                                MD5

                                                c32f4450ac2d1bcda2dc2e26c4bd9c12

                                                SHA1

                                                bad1606cfff4753baf26a8ef901c2c52db2c2a8c

                                                SHA256

                                                3a2b7bf6fe0bd10a7ee71389200015958057e1ca0f72b164aea10d1ca8e81bd4

                                                SHA512

                                                6efc2abce8ca8f39183d914e40c06e34582d137b4a0fe1ea501aed0b4db6797da6f791857f740fc600c19158c44096f289b7425fc4d9b92ce443ddf08164ed4a

                                              • C:\Users\Admin\AppData\Local\TempDXWLU.bat

                                                Filesize

                                                163B

                                                MD5

                                                bf8829b93bd4721c30c50c59420f8d8f

                                                SHA1

                                                74a4eb81d517b3722f086c0638115e2c91499f6e

                                                SHA256

                                                077ea513392b49d9cefdd480bcba4fc286ce5e21c2a4070ab0869f71302d4bf3

                                                SHA512

                                                3d754c55b7b496043d77977bcd8e9fa772a78b9c69fa5e754b19ca3ab3b6c5073231ae5dcc18b13ae6a0d32be861cd0845a66c05ad54e08c1524615a890311ad

                                              • C:\Users\Admin\AppData\Local\TempEDHYU.bat

                                                Filesize

                                                163B

                                                MD5

                                                9d955223a0a0d90319da9c1979c7fe03

                                                SHA1

                                                e6614428ba99de605add67d550ee537e05e5bc6f

                                                SHA256

                                                8baa737cbf4168d3bcc84475caa1b3982a0040beb35826e7e58c6751890ebf9b

                                                SHA512

                                                8609d58bb37828ed935a657b5a0722cf085fce791ad252eb9abc782a429e75bee147f540e9067244953e645b23ce78df3a7499a65c405acb8cc2e0b132f54159

                                              • C:\Users\Admin\AppData\Local\TempEHISN.bat

                                                Filesize

                                                163B

                                                MD5

                                                ea44f5e47be7a898629829a5deead3e6

                                                SHA1

                                                92ff4557f55824c9382ebfcc6ee66af395dd5e91

                                                SHA256

                                                6943ccd5c841cfa4d1704ee7788da82146476a0af27d06f13403bc251245b4e6

                                                SHA512

                                                6abab88e9b66f85119538229dc4b51b996e841b79935ddaeaf39485a64b6c776f420f554e264cead651342a5a38aeb7540d676066cf89685bd0627b9f774d663

                                              • C:\Users\Admin\AppData\Local\TempEIYWF.bat

                                                Filesize

                                                163B

                                                MD5

                                                d1138f4820d1655b902a6c7cbfecce6e

                                                SHA1

                                                dea1c53b6520325cc6ed6ba80137e6b515d0c948

                                                SHA256

                                                2792a785eba2d15444e2a61313b7d64eaff7ace91bc5dde889c489076c6146ca

                                                SHA512

                                                107b7c626490cf59393a62dd699ffcc53961893c7f8248d7030737fd6ab5f56850a4277e621be11f0b39bb6917fb0d4ec1ac2837c5f3dc75532b3d0ce604746d

                                              • C:\Users\Admin\AppData\Local\TempELGLY.bat

                                                Filesize

                                                163B

                                                MD5

                                                47cd9f3690aa352efbbc78d49aa81537

                                                SHA1

                                                9e236ea8d12cb50dc3583e588dde93eaf9a470a2

                                                SHA256

                                                0931ff2f9cf95d7ec52d212fa7ca78012c1ee0eb20259f487628df0bba97dd53

                                                SHA512

                                                ff9634e84198632dc6e43706602ccc4e3823a66991e3e7f815e6be298f51e14be85395e22ac20bc41baefca69b021c9417076a7a12ec439d2a21e4acd7a3f076

                                              • C:\Users\Admin\AppData\Local\TempFGDME.bat

                                                Filesize

                                                163B

                                                MD5

                                                a4e079fc1c7dfab5dec4d6c6cabc404d

                                                SHA1

                                                54dfb72eca895f6fbcc750ce8919df4a1eff9c8c

                                                SHA256

                                                079860580f33ec79576d28872c0a65d1d18daa5e656c96640540f21c1e61ac52

                                                SHA512

                                                ed8ff202731d7ad276b37e85dafd64772879cff086511f99f2989526aae738f3d566e77b7c9f68265fd01dde38b02c851380a1f8c30707622c2dbef81cc752cc

                                              • C:\Users\Admin\AppData\Local\TempGHENF.bat

                                                Filesize

                                                163B

                                                MD5

                                                2ba129511c5899c8e1f9f8029bfccd77

                                                SHA1

                                                f9592a99e3d1d4a95c169cf9f3b4cc3cb0526765

                                                SHA256

                                                607421953fa673adb45977f97d755037afa7565f303e63cdd449d07b37e39acf

                                                SHA512

                                                1445ebf59d57cba5ea3b6a651da3f7c3f1a4def98b9fe3a04e4b5aa37a8dbe3b0b309230235995882d5b5c53b224ed13caaf27f684b9751452c3b22e258d1700

                                              • C:\Users\Admin\AppData\Local\TempIXYVF.bat

                                                Filesize

                                                163B

                                                MD5

                                                3008fd248b83d07d9467ddc3a0292154

                                                SHA1

                                                03b319edb52087ed08b5e97da5f3b10e7c9c0fac

                                                SHA256

                                                dce7434d7e067067c0f2d96115992a424a8441b4f59a68c06bcbb9886cdfda90

                                                SHA512

                                                99d3980c6acf7670ac37b6fc9dba9ede15d60fb36e4932a5fe949ffc16dc8a03e139193e380367718080047468292978a42b02e4e605a69da7ce7920011ad21a

                                              • C:\Users\Admin\AppData\Local\TempJBDRM.bat

                                                Filesize

                                                163B

                                                MD5

                                                b96232100b90d0b4a9a38041264315a0

                                                SHA1

                                                8cfa701a3dbbae1ced82e5ca1d202c1b6da65cf2

                                                SHA256

                                                6611ac1faa5df5c466b2ee588d0abd4d8714cd2648aa1847c3a17b3afb7a7493

                                                SHA512

                                                7f4f599a4e72eed86ec835b5b2c9804fd75cfc033885ef0a39d1d15aa3905c79db4e8343ddadff4fe6f8a6aa0bd2dd677f0b1e5a879de82cb8e0da90bc3fa65e

                                              • C:\Users\Admin\AppData\Local\TempKIQCJ.bat

                                                Filesize

                                                163B

                                                MD5

                                                e8d566c7e20a2195f8d835b81e0d8735

                                                SHA1

                                                9fbca05594a6aa204b4ea944d25c30b02297f074

                                                SHA256

                                                8ad5af32fb41ddd4c969bba9c41d6e0111a7cfc65bc4b38f5d7954e8fcc40856

                                                SHA512

                                                6432ab9cd9574f00c74b9626e2f517c424c4976ade8913884a2d8cb9b5285e7c629f62f92c80db61b5304da37152206484b235b8e5245e6a9590027f353bdcb1

                                              • C:\Users\Admin\AppData\Local\TempKSEKP.bat

                                                Filesize

                                                163B

                                                MD5

                                                cd7b255d6df08d7c8ef515a65695d1d3

                                                SHA1

                                                adf73803df44319228413e5033db99eb46557217

                                                SHA256

                                                bb419376e5134a6b2b6a426c8d2084b4f382b3a6dc4f10469e64dca5c802d69f

                                                SHA512

                                                5087efea27901a9eff581da7f7febfc2be20c7dbe2b955bab8966a2ba15f02802c37b23ac5860aebaf6287a0af5131a5fb882b1b051fc7b1c1572bd5653ea08d

                                              • C:\Users\Admin\AppData\Local\TempKTPCO.bat

                                                Filesize

                                                163B

                                                MD5

                                                e4163c25c45912355ef19da22767b956

                                                SHA1

                                                1c12ec2627557b0a43a8a806ccaf1dd865aa5edf

                                                SHA256

                                                6da6d41aceb20b5a47767f40a84544be9137721b63fd01dc7f22db1cb6e95d29

                                                SHA512

                                                0a6b57c03360003e2c8864e65a10a9a224e1e7dc63193907c5bae8a8a355d13acedbb81e514047ac2e9e69593c77ce03f294da5c738463ea15f62a71f549c747

                                              • C:\Users\Admin\AppData\Local\TempKXFOF.bat

                                                Filesize

                                                163B

                                                MD5

                                                b196951fba48b5977560e9753b785b65

                                                SHA1

                                                e22f3e6d2c9c03545b5dc31252623bf766673f4a

                                                SHA256

                                                8b7922292951a99acead0d2660c90515a483da5780dfefc2417325f37d807731

                                                SHA512

                                                bd899da3d81da6bab9cb78167b9426efacab052eda353821e30afb1585749bcba973f92cbb41868a111a57b6917a8f0d0ae6019ac78690e822534923133b9aa9

                                              • C:\Users\Admin\AppData\Local\TempKYGOF.bat

                                                Filesize

                                                163B

                                                MD5

                                                d045e334e544bcbb03bc06c6826a3669

                                                SHA1

                                                208470d91b843cf1c5c15863d8a7e746debf2990

                                                SHA256

                                                0028ebcdf30b526f8b48c089bf8ae15e9d48999898e8a06954a94b71cb91aaf5

                                                SHA512

                                                7187e05f55acb096f9b0f2a54ef81c3b822bfeee11fc686e03035ab8243083b7c5e47322b681f9b0069c73e49a148b9aff9e1e5c23ff3d7c18d8d63ef2c1205e

                                              • C:\Users\Admin\AppData\Local\TempLHVUG.bat

                                                Filesize

                                                163B

                                                MD5

                                                de69c25118df8838f32524d5b65053ba

                                                SHA1

                                                d79b8934dab391b2f85b02ec96a6cf696e23d29b

                                                SHA256

                                                40bc559d58b0e666ed60c4caf6195b223cfc22e29d8c3a3558037fd37dcca921

                                                SHA512

                                                71fb69382480d582d5d09e9458754c925e45eaff1a3d5c9835895de02fd930a8b1bfa9008a1ed1b8ff2ada1d29742cc5eaf96af9dd68186f95ee97b9075d5bbe

                                              • C:\Users\Admin\AppData\Local\TempLOPUB.bat

                                                Filesize

                                                163B

                                                MD5

                                                5d38f5a1b5aa1b30781c0c84f64331fc

                                                SHA1

                                                acf15e6ce88d606070b06c3cc026a4046a2ff90c

                                                SHA256

                                                6d6f51ac46cba699c83bfd2d6306ef11d5e7fb0c0fd7a9c622dfc7b02c54badd

                                                SHA512

                                                4d881110cd080cab828d06a8dbf602c6f9e29aeb5c8d7fa1f77db6890b5d7161e7f5b433d884dcbcb6dbb0c49a05e05d1b46e726ab53f64427653203dc7b7415

                                              • C:\Users\Admin\AppData\Local\TempMHQHF.bat

                                                Filesize

                                                163B

                                                MD5

                                                aeb4d38b60edc8f0aa4f95ecc32cf195

                                                SHA1

                                                d1c7dc58eb0f534e1a4b64ad17650a3c945292a9

                                                SHA256

                                                8de5f04ed63c66698d8c9ba4f4e830fb284f9320391cde5ef27ff1018edfb281

                                                SHA512

                                                ae56452b6f45ed80a5cc95e1710167675d354113f21cd7113514122cb335fe66a67ffbc262184d78063fad4d2880c7f39963cf805551ca1bc82748d828cc5591

                                              • C:\Users\Admin\AppData\Local\TempMHQHF.bat

                                                Filesize

                                                163B

                                                MD5

                                                7ab00c2d0ec3d74d552ef677edafa12d

                                                SHA1

                                                9f553e5d98a60c4e079c57b27d9545066605e02f

                                                SHA256

                                                898f879244a352030d694967feced2116a26e20ed258ec21ec23df4afaacfdc5

                                                SHA512

                                                23c9e91b67f5f3868d16d43fa5d3271f945ac0c48dfe77ca6aea7e0b24832a86e8b8da26647b200b25e1cf6445f75802bbd33566e25eef9ed5c86e9949f8a9e3

                                              • C:\Users\Admin\AppData\Local\TempMIWVH.bat

                                                Filesize

                                                163B

                                                MD5

                                                3d6710b0c788a455710af4e9c75eb284

                                                SHA1

                                                858206583bfa0609747e015ee73af854f7145096

                                                SHA256

                                                4129bba47b51879ed3e653e9366d2a1308aaaa499a0a98b0f3fdaa392271cc42

                                                SHA512

                                                a98db869cb7144e6d25b9cf16d4eb80c86bbd63308d6b18d39ae145e414f18b682600531beb81910421d33d00ce852784c5214aad8cb57bcbd0d2f5161300523

                                              • C:\Users\Admin\AppData\Local\TempMIWVH.bat

                                                Filesize

                                                163B

                                                MD5

                                                02588bde156f4fec5f0df3d0ff8bede1

                                                SHA1

                                                34461a5ce0789fc448f493a9e6a1c583a0d1a89b

                                                SHA256

                                                e619e4dfcc93453be75b64b7938e54164a7f979fbeb92de6221ad7f9c6a2d0d0

                                                SHA512

                                                56790994e090fa5cf5d4c5eea229189c7cf591ca0554a1c463c0e1f8ef18aa376fa2e53078b417a5bc7063d606d12743113585cefc6b1b232be14fe7dc161c73

                                              • C:\Users\Admin\AppData\Local\TempMNWSA.bat

                                                Filesize

                                                163B

                                                MD5

                                                08a46825f8687526303d13241600973a

                                                SHA1

                                                43085350ae1fcefab6da5f21cfa61871e88094cd

                                                SHA256

                                                53d3ce1ce804418b19fd7ed0d1e65aa46092117a49cc26a2a32750ede80c6b97

                                                SHA512

                                                684220fc914968d010ff118585b463bafa1c5909334dae5138caae443082278909324530016c7dc5a95f4d102573082db7a33abb5b3f753ed110a50945ab942f

                                              • C:\Users\Admin\AppData\Local\TempMVREB.bat

                                                Filesize

                                                163B

                                                MD5

                                                f66f3267a3bab1cc959fa1d5af0c6a43

                                                SHA1

                                                30f9d9b5e0260c4a26075122ed947ae0bb817ac1

                                                SHA256

                                                62b73d8deec06eec732c12de69805934be35c1f930e35984602da606c4fc7fa0

                                                SHA512

                                                792f9a42f41bb37a52f567b0e73af29ac2dd946c0043a6405945418f5dd5cbf3c64a70a5c54620a2d69d3fdf0b302646b0b3dbc8833b800f7c85056fec2fe82f

                                              • C:\Users\Admin\AppData\Local\TempNWSFC.bat

                                                Filesize

                                                163B

                                                MD5

                                                543169eb5726ce39eb8f083424122dfd

                                                SHA1

                                                aa9454765c3161e4eeffff1bf013fcfc259b1273

                                                SHA256

                                                7143e2265fe438ea6ded40faf746bffd04099e41508d04f730c9433a9f3ae6ca

                                                SHA512

                                                68fab6b4f3891bcd02a18cf26df4c48b5c4ee42622843198ba52e96d994680c84640a3c90872997cbc71638425c4bdcef57202605f941bf90b205aaf840d4abe

                                              • C:\Users\Admin\AppData\Local\TempQLTHI.bat

                                                Filesize

                                                163B

                                                MD5

                                                54727cbb67d70ab8d9c6af1f005fcab5

                                                SHA1

                                                7bc190c8f4f41a0549363212557ef5a4eb0e8247

                                                SHA256

                                                1e54d8575f379ba1050f0910f8aee21f8b75d06709544ecb5509fa165b2dfd03

                                                SHA512

                                                200a6eaee9bef6b70bd5c23e32197b50b8c467b816326e724a4c5838a9df04a677d3a12c962b61428cb8f3c8b11cd2f97e44b4180972718e68ce6ba361a5a00c

                                              • C:\Users\Admin\AppData\Local\TempQRWDE.bat

                                                Filesize

                                                163B

                                                MD5

                                                7b3f0fcc7c03d7b552b471000ee71b7b

                                                SHA1

                                                f85d7f034e1e723823b05152a4d1c80f05eb1865

                                                SHA256

                                                2ffc2e9ad370cce043d30ce721a627551872e249848e5f69e684d1ff6d879849

                                                SHA512

                                                ce33d49ae66b9d0a1c87516e65213838e8ace527ce6d9d66bb014d9bef1f5e117c4334f44b87be10ef1c609b209ad0ca35534609ba9048fb7f684a7e51f05dc2

                                              • C:\Users\Admin\AppData\Local\TempQRWDE.bat

                                                Filesize

                                                163B

                                                MD5

                                                5f86bd202bfcd38eb1df9dc3f99b3f2d

                                                SHA1

                                                20eb5c3c335c0ae536940a2687e7a4b19f36ce56

                                                SHA256

                                                d321062aed8a7c06ac93888227db15ce99c621f0c1f748ed53813a296aa4ab84

                                                SHA512

                                                4ce449ef9cbe9707adba1be3be1a650c1ff846ad9f3af74ed8428ab64f9c35f0425482af8c5d68afc7d9eff857e369b949b65d9f03e4f7f515f1f3fb3b02045c

                                              • C:\Users\Admin\AppData\Local\TempSDWWL.bat

                                                Filesize

                                                163B

                                                MD5

                                                f12eabc05ad07e28998bba3d0c4b7517

                                                SHA1

                                                21aa28ea0e9786833d2cea38e7f8176560945456

                                                SHA256

                                                d6ed466f36738b8d14060e25c85244877190aeda44d43d0bd7b71203a44163eb

                                                SHA512

                                                e25d3d9b2ace750368e8a212701ef5415922669b72231abd716faec01db65ba14ae93cc3e5d8d9c4fd65e9edc69e0c6650268b6ef2cd9d1d0445a58b23f1561f

                                              • C:\Users\Admin\AppData\Local\TempSYEFC.bat

                                                Filesize

                                                163B

                                                MD5

                                                8f6e93c5788ab7e862a4a8b9e2cabb88

                                                SHA1

                                                180c97764b02dbfed167be2e645232661fc91787

                                                SHA256

                                                b0c5204560e86ad1cb2b86b11c05964e66767ea84d4f66d08473aca923a09f30

                                                SHA512

                                                ca30674b3ae38184d576363299827452a90ad8ca5099c36ae7298240e2cd5361fa6162d4d863b18a3889a56dae0e67f9703e47e1819e3169e18e5579d4ef74bd

                                              • C:\Users\Admin\AppData\Local\TempUASWR.bat

                                                Filesize

                                                163B

                                                MD5

                                                3296eb0d4931e63a9841d8f26635252f

                                                SHA1

                                                e078d93e382746df8d0ba15525614712cc694194

                                                SHA256

                                                a8748d6c7d27564559ea5967c93498d1dc0fad714717eaa3a35eb6c212811d06

                                                SHA512

                                                ab3a93c9b30a5ced8e3a5aae2b94109977c17c50ba843c4a04d23189549fa57a289061d5e7b5a3ec7c420c142678f033164565e331e06cea36daeb64c5d4132d

                                              • C:\Users\Admin\AppData\Local\TempUBXXR.bat

                                                Filesize

                                                163B

                                                MD5

                                                510c51f3c8abe27fd0bcdcfc74da9289

                                                SHA1

                                                cf960de9fbe385c3fcc2cf4df981975a24d6ebc5

                                                SHA256

                                                1a3fb04a17723f003444f17a9ec5742de390875af1f1d397606c2b649f6b3ba6

                                                SHA512

                                                c4f0b84b96e72ece716a10e819f32373433e0fdf04a8bf0c0a8efe388a3f3bb2672682cf623236530cf0662955aaeb02aa1c793872c260a912a81b5140bde7f6

                                              • C:\Users\Admin\AppData\Local\TempULJNI.bat

                                                Filesize

                                                163B

                                                MD5

                                                400d6474abb9dae040297b4109e7db28

                                                SHA1

                                                283a3c7dde4a01360c7003f5b88a6561205a70f3

                                                SHA256

                                                4997888233ac72bcd9716d22dde145bc0b5d9532ec86573cab9bd657a00a8275

                                                SHA512

                                                ec0e63bb2dede9a99c90eda2a012e1f8a145cf32779a5f6b75f082f775d2f124971a72d137a4efd77141bf16c9a6d51442832150744c904ecba8f8b7acef48a2

                                              • C:\Users\Admin\AppData\Local\TempURVQY.bat

                                                Filesize

                                                163B

                                                MD5

                                                1d66c5240addf33511e955a29c025fbb

                                                SHA1

                                                36d91e5cd413ff7a6e1b14a7b1ab692cf42d98ec

                                                SHA256

                                                5bade5a99e9ffae2aec60717f147ce28536cdd5cf5c5e72376f1690c322d7f0b

                                                SHA512

                                                3b5b41091212db91723976d2de1fd2cad7709ff72a1976d7af033c55cb2012e295a5f10c00fb701d416567b64ee827d18154b95b244f9c398b37f992a83dc116

                                              • C:\Users\Admin\AppData\Local\TempURWRY.bat

                                                Filesize

                                                163B

                                                MD5

                                                5bdb321f6b56b57c47865c2bc74de991

                                                SHA1

                                                28960808440ba29d37c356052c914289e102067c

                                                SHA256

                                                ff9ed4bb35370501898f4a4f12e6617961df220200e2a6c9a2cb3688960b8c76

                                                SHA512

                                                fd1457149efe3e769c58fd32637a41809a562ba0d827afd8465903a37bca01792feb3e9ea9e3459593718c53d0df6c174549594d4f1a37ae26bdd0280476356a

                                              • C:\Users\Admin\AppData\Local\TempUYKIM.bat

                                                Filesize

                                                163B

                                                MD5

                                                fc06b62ab62c73b33327e4b1e7bab0ac

                                                SHA1

                                                3de4374ff7150cb05c1d731f704ea77d56516cd6

                                                SHA256

                                                cd6ca65a6fb7bf52ac57ccae8fc44271ec6b500c4ed84fa25b89077498c93b46

                                                SHA512

                                                3dd351a87c62962243a26216558d27d1c3f757f6c39f338bdeb8991a993e95bca35c9c09e503567e9735cc1ade3f6e1007287c3cda898e2631208ac02fabf449

                                              • C:\Users\Admin\AppData\Local\TempWALYJ.bat

                                                Filesize

                                                163B

                                                MD5

                                                b4537d9f9239a9d8fb8d2064451913c1

                                                SHA1

                                                34090adc73b2d6b3b0cf04d885a064ee6e5377c6

                                                SHA256

                                                f38f04e0cc27cb23d191310c696c4884db22e4ce7ea87203b351dd596dc1aa56

                                                SHA512

                                                03efe5b20261c714833d2521397ba672cfe94ec888ca856b6ef7302115523be05032f37511de4e09e412900935380ddde02251feb71cf660bec32afca2763fa4

                                              • C:\Users\Admin\AppData\Local\TempXGGPK.bat

                                                Filesize

                                                163B

                                                MD5

                                                f79af593b565fa504b1730c2420b55f7

                                                SHA1

                                                e34a697f00f16e8e2dd8bf6fd18e2e018cd106dc

                                                SHA256

                                                614a7458b0b0066233089d4051258aec9bcf4a3cbb6247e599a9a88182730062

                                                SHA512

                                                0e9e838e141443b08d93fa3f9aedad58f39bbf8dac509ecb47cb5cf9b55e1ca36b921c91702815e2bacc46732bf56dc81e795409c7c214d701187fc25f5b628d

                                              • C:\Users\Admin\AppData\Local\TempYFGDM.bat

                                                Filesize

                                                163B

                                                MD5

                                                277bbee719763e009a5e8bf22f8bf81f

                                                SHA1

                                                dea210d15df545f4d65c50f2695ad608c0677681

                                                SHA256

                                                3a58e680b7c79659f0a8588513dbe29d259c8d7e60f5ab806c80c2894b2ff44c

                                                SHA512

                                                7ff238358d28238418cc5af223051a206ad478ea6f48067bfefa6779b37b88668394df6b4f35f5bed93e0ec01fde32689b5e246586df6aaaf5214895f9be5ddd

                                              • C:\Users\Admin\AppData\Local\TempYGHQL.bat

                                                Filesize

                                                163B

                                                MD5

                                                2b8deb0667dfe429ce39ef9eebbdf9a4

                                                SHA1

                                                67f6fd313dc8f3ca57b6c9c2b2f2da8b737f7214

                                                SHA256

                                                f75ce084bf721bda52af7d80b4616808b5a39c00492a14348e021e73fcdd3b14

                                                SHA512

                                                6f5b82cf626fdb0230b3995a4642d24628e6985c3aec4daf1102f5c055b6652ca3630b97e9b3f4c91d7f00fdceb37050d8d5a10a3505a97aa74a9b09c10e188a

                                              • C:\Users\Admin\AppData\Local\TempYTRAA.bat

                                                Filesize

                                                163B

                                                MD5

                                                1b7df251701ef9018010000e50d1a146

                                                SHA1

                                                a90e8b2aa9a0e6f1fabc4e07ccb886374ec96a5b

                                                SHA256

                                                9363e5fb9e3e75e4dd788b7ac793ff83a739e0f0341ad63f2b6c18ae333355f5

                                                SHA512

                                                69f1141e72ea170be7cc8b3a6a17cb42c5cf2c88d76337ddc2b2daafb05fcfd21feaf94b3742058f4adb31ae3e0b0cd694d9e2b8c16306ca561d809bb297c275

                                              • C:\Users\Admin\AppData\Local\TempYWFGO.bat

                                                Filesize

                                                163B

                                                MD5

                                                7e3facbfd1f323f14d0e0b6b9304104c

                                                SHA1

                                                d49ee38f589393b64f173e6ad02671f9685dffce

                                                SHA256

                                                f5f44027a982db4a8a159b6d2961ae86be5a45153cbbba09bcb51bbce2745e5d

                                                SHA512

                                                6afc7b8927856ca58453f2e73bb1b792a0ad379c449ff9df62c0ca22563733f2681b39ff37b788688b021455187eb683ae9f5366b450b49aa9969f6635872d2b

                                              • C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                9e9e4d7494419852176c96ebf969a6ac

                                                SHA1

                                                2b9231d272ac252264092339b5213fbcbff2187f

                                                SHA256

                                                940372d1f6183d3a70c79862af87240724dafa5758b23a1d51689ecee7f59f5b

                                                SHA512

                                                c23d7a1a5d86a9eeebf033e0a29eaddb0feba3178d324d0bdea2544360b2d8d4f0685207f59f2f0cdea454665b55016e50d99f1f7bff41de09ad96fb98c2024d

                                              • C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                33af1088d9126f0b7ef58b5e012c30d5

                                                SHA1

                                                f5e24b5d07f748771c00c30a0ac7d9c222f05cda

                                                SHA256

                                                2e2f167bc14624dfc3fc550e9a496eaba15515139d9e6058ecefbcbfa49815ef

                                                SHA512

                                                e091fcfd7d181de0b29e97e84c711046b0f935611ab38d35c9494c152b23a2924245d2cc2ab63329f395e4e977437aee963ed033f99d00d6915bf36d513357cd

                                              • C:\Users\Admin\AppData\Local\Temp\JLXXBYTSAYUKXAF\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                8b49fa9e58c7b43b9cf7583fb40faaab

                                                SHA1

                                                799d320c4417925f87b7ce3245065a062dfab3df

                                                SHA256

                                                0ff9c15e03b262b7a1b671cec10d846c5350475eb6bf0f7fd5ee2d40b48060c1

                                                SHA512

                                                652493fc92d608efc9878301024471e37bcdcecdb87ad8109052f2358f2f52c14f3438bda67c45d5b5d6ce94a77924c6bb55fc40e3ebc47d36e0fd2a6cfca09e

                                              • C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                9e52708f16fde9ff6d72ea9ad1db28b9

                                                SHA1

                                                20ec17cadbbcefbb4643144a5ac62190de18640e

                                                SHA256

                                                ed109a72775871716d7122dc0890b17e6b7013710922f0182ad4db1c4d399db4

                                                SHA512

                                                1d7ea247ebf1a38d15617fe2c62a82eef168025320dd4469b512ef18be17a926941317e71fbeb5d241d78fbc9192d9834f610baefa0179a91f9c7ad05f02550d

                                              • C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                40242b3d291fa645295d47dceaf33955

                                                SHA1

                                                73ad44a88aa607acb12e5f8a5685b0f744190f25

                                                SHA256

                                                7143330e19737117aeeac3ee9bb0508cc8f2c7fc2455b44dbafa3c75ea9e64e5

                                                SHA512

                                                a4a18677dc45da5793107ad70234451569932c44c938dc5debe302dd37a873c329994d5b0abe77e8ac2415411611ed9338835e1a782a4b9b76c4260f8bf3180f

                                              • C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                af67f598e0034fe8568b6bc4358c34dc

                                                SHA1

                                                e6ef81528a9d231836cafd397709c3342429990c

                                                SHA256

                                                5e731ada430dc9b8abf0db43e8fe1281729370fcd715179b8601e868715cc6b7

                                                SHA512

                                                ab47c21b5dcc324b03454a7f9e035bc8c61f6647bcbe3f58242cf3dd8cd7322eda99d8f3eda856fa4c674fae92e44b4adae38e01ed71219e19a4d9cf3c1f772b

                                              • \Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAL\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                7cb64f9c3de00c4ea69f7e09fedeb64c

                                                SHA1

                                                9ac094a725368db634ac95b75d15bdb25c944cb6

                                                SHA256

                                                a19a5cd12a75545278933d94e1a0a69ff07bf7412c73970cd24bece8fd286c3b

                                                SHA512

                                                01c08957b20c3c34d590f06606d93a602573efe37407c9c9e320c2c63edd101d38354f8f011f7c0f8a76744d0051987391be33fc1a30959a867751dae089d111

                                              • \Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                eeb4e02e5ae1c664517da7005af829ea

                                                SHA1

                                                810a326b014bba96f649d2a1b4a7c91c27e6cba2

                                                SHA256

                                                edcb9f797622d85ed4174ab0e5f18c937d4cbe09e3d6da0b70a614163bf6375a

                                                SHA512

                                                c4a5cd9494303637baf5a98e832d79adc381ffb36c720c728b36607f2eba53aca1fdea045f15e211b0ccff012a5ede789fdaf78c527168f2a682dabf8c0086be

                                              • \Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                f705e2443bca4c77fe8e4ac88c33d99d

                                                SHA1

                                                bf587fd138af300667335bfa80e146e0dcfd21e7

                                                SHA256

                                                85b88830e030a986f232e8a6fddca6b906009aa36161481bd2405c5129f6733a

                                                SHA512

                                                94c79ecbfe522abe0921f657fe58463d8dfc2e6b47b04d5c17d958e979350279e5be8a8b654c02506a0885fad7ec81a58edbedb5472e8389ace0a2cbd7a820b0

                                              • \Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                36870c156f3c417af1fa214b9c9f209b

                                                SHA1

                                                623aa662d44ad150a9281aeb70f5a3ae34d7ab1a

                                                SHA256

                                                ee65c6940573697bef474882deec7e9d40e6aa80f74a304e57ebec7e91f63de4

                                                SHA512

                                                1044f8cc8bd571ca674546c20251f10aa43ba5838672ca644255901827e15a99cc559ca305f008386a61b389838558e02508d9c268ceb8ca634b0bf89b2b0e26

                                              • \Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                a06abf139f1a6d7f2e90e51d8829b502

                                                SHA1

                                                b30c09f1edd21b214a860818e1913526157c2c1c

                                                SHA256

                                                108a8f87872682ca3950afba88c55ac4efcc01b4f9fa3411597b3893dc185599

                                                SHA512

                                                16bc3e5c4c239864e5ce04bb9804658d25c38d2aee4ee79587ff9c5e4acfbacc7cc0b45a16ad761f559068561a12665ca99100670ed61cd1d567c679a0d09f41

                                              • \Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                c6058dffce9088bb96eee80c092a0f26

                                                SHA1

                                                bcc04f136584ee73feaa42118e2fde58479b8618

                                                SHA256

                                                8ab30d955dc5f92e28405d123371c947e4d706fff58a809b93613774b03a2e43

                                                SHA512

                                                68b473030c8e5d3e6e8d656610f4310ebaec55d3b167c0b76903655a92d0b516555ea029a73e0a6a18d384a372b313380d7c9d12527c74453dac54d2f9e5921b

                                              • \Users\Admin\AppData\Local\Temp\RRBNMNJHOJNUDOT\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                e52cec4c12c128991492cf2cbf03ac8d

                                                SHA1

                                                a74825459e8fd9ca9f1ff4b7bc31badc56de0619

                                                SHA256

                                                723aecb1c231864ade39750cd86ba02fdae176570b34ceacbbb75b2de58b14e3

                                                SHA512

                                                cfc653a755d6b336fbb0930ae467038c85d33f0950f106c967e0c9f2bbe734ce1b13f40f564ff537778cd77f62f63dc3d3da3b0362d0031efb0e75169f05339d

                                              • memory/1820-1125-0x0000000000400000-0x0000000000471000-memory.dmp

                                                Filesize

                                                452KB

                                              • memory/1820-1130-0x0000000000400000-0x0000000000471000-memory.dmp

                                                Filesize

                                                452KB

                                              • memory/1820-1133-0x0000000000400000-0x0000000000471000-memory.dmp

                                                Filesize

                                                452KB

                                              • memory/1820-1134-0x0000000000400000-0x0000000000471000-memory.dmp

                                                Filesize

                                                452KB

                                              • memory/1820-1135-0x0000000000400000-0x0000000000471000-memory.dmp

                                                Filesize

                                                452KB

                                              • memory/1820-1137-0x0000000000400000-0x0000000000471000-memory.dmp

                                                Filesize

                                                452KB

                                              • memory/1820-1138-0x0000000000400000-0x0000000000471000-memory.dmp

                                                Filesize

                                                452KB

                                              • memory/1932-942-0x0000000076C40000-0x0000000076D5F000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1932-943-0x0000000076B40000-0x0000000076C3A000-memory.dmp

                                                Filesize

                                                1000KB