blackshades | 35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/02/2025, 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe
Size

520KB
MD5

0ef061308ce5237b1c4feb5ec4895e90
SHA1

e8a728ead1cc3c2d931c6fc21ccd89fba5f0f220
SHA256

35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6
SHA512

79f5484feb40243edf020b3db170034a234e630634eba84f65828bb52d3722fa16de1ef7c0ab43ec21d5471f28525de9fdf23e61a61e6c92bf6f6d3847646760
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXy:zW6ncoyqOp6IsTl/mXy

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 6 IoCs

resource	yara_rule
behavioral1/memory/2700-1482-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2700-1487-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2700-1490-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2700-1491-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2700-1492-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2700-1494-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRXTJWENE\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 60 IoCs

pid	Process
2712	service.exe
2996	service.exe
2788	service.exe
1940	service.exe
1872	service.exe
1712	service.exe
1296	service.exe
2304	service.exe
1532	service.exe
1744	service.exe
1932	service.exe
2996	service.exe
2788	service.exe
2676	service.exe
1528	service.exe
1284	service.exe
1580	service.exe
880	service.exe
2892	service.exe
532	service.exe
872	service.exe
2476	service.exe
2956	service.exe
2392	service.exe
688	service.exe
892	service.exe
1104	service.exe
2576	service.exe
2704	service.exe
2816	service.exe
1440	service.exe
1980	service.exe
2776	service.exe
2364	service.exe
1216	service.exe
1452	service.exe
1420	service.exe
880	service.exe
2892	service.exe
2800	service.exe
1924	service.exe
1072	service.exe
2900	service.exe
844	service.exe
744	service.exe
544	service.exe
1496	service.exe
1968	service.exe
936	service.exe
1892	service.exe
2244	service.exe
1920	service.exe
2188	service.exe
1144	service.exe
688	service.exe
1976	service.exe
884	service.exe
1448	service.exe
2740	service.exe
2700	service.exe

Loads dropped DLL 64 IoCs

pid	Process
2032	35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe
2032	35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe
2712	service.exe
2712	service.exe
2996	service.exe
2996	service.exe
2788	service.exe
2788	service.exe
1940	service.exe
1940	service.exe
1872	service.exe
1872	service.exe
1712	service.exe
1712	service.exe
1296	service.exe
1296	service.exe
2304	service.exe
2304	service.exe
1532	service.exe
1532	service.exe
1744	service.exe
1744	service.exe
1932	service.exe
1932	service.exe
2996	service.exe
2996	service.exe
2788	service.exe
2788	service.exe
2676	service.exe
2676	service.exe
1528	service.exe
1528	service.exe
1284	service.exe
1284	service.exe
1580	service.exe
1580	service.exe
880	service.exe
880	service.exe
2892	service.exe
2892	service.exe
532	service.exe
532	service.exe
872	service.exe
872	service.exe
2476	service.exe
2476	service.exe
2956	service.exe
2956	service.exe
2392	service.exe
2392	service.exe
688	service.exe
688	service.exe
892	service.exe
892	service.exe
1104	service.exe
1104	service.exe
2576	service.exe
2576	service.exe
2704	service.exe
2704	service.exe
2816	service.exe
2816	service.exe
1440	service.exe
1440	service.exe

Adds Run key to start application 2 TTPs 59 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\XUTXKAOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSINFWNBMC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLYFOYVGCNGHXQT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKPWIICWADTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\PMAMXUASWRNPBHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJIKFDKFVJQK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCPGTPNSESUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPIBHOXANTKSHRH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQRNLNDQYHSXH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBUKLIRDJO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MTXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKFETUSAB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDDFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWEMDY\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\PNMQDHDBRXPGFHC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCUTBVLYBGPGF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\TKUQLUFVAFUVSCN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ANJXWMWPOQCGLYL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWKKLGFLHXKSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQMANYVBTXSOPCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WONVKJKGELGWJRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ULAVRMVGWBGVWTD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOKYXNXQPRDHMAM\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\YWUYMCPLJYOBOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVLFDKTJPHXODND\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CAEHSTPNPFTAJAU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWMNLTFMQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\AUWKWHGKXYBLRYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEXHTSTPNUPFSAJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLGPYWHDOHIYRUW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASLQXJJDXBEUQR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIFJEMBYCUSBCVK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIROIDDSTQLR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\VVIKFDGVJQLPAMY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXNRWDEBJCH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\PKILAOVFQVFSDBG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GQHESWIJGPBHMCO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\IOTFDHCJVWRQSIV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PRHBYGQGLDULKAU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\KYFOXVGCNGHXQTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XRJPWHIBVACSPPL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\TSEMEVNJEUOPYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPGQJIKWAXF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNSPDPAXDVUQSEK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMLNIGNIYMT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\BNTYJHLGODEWUDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTQKFAEUVSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMGQXHEOIJSVWIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BSLRYJAKDXCEURR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\EPNLQDHCARWPFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYBGPG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\NSOCPAXDVUQREJR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPXLLMHFMIYLSC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVUIJFDFVIQKPMX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYTCWYMRWCDAJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MTXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSCJTPKFEUVSBB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HXYVEEQWMKOJRFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGVFNBACWCSNBID\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\GKYHHTPNRMUIKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFAVQEL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOJHKNUEPUERCAF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FPYGDRVHIFOAGLB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\FERIVRPUGAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPVMUITJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SQUIMHFWUKKMHAD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPFLDTLJAU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DAEHTUPNQFTBKBV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDVMJEXNOLUGMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\TYUIVGEJWXAKQXX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WDVFRRSNLSOERYI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SXTHTFDHVWJOVWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQQRMKRNCQXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\XKMHFIXLSBNRCOW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAPTYFGDLEJX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKEETURAB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MBVRMAWHXCGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRQSEINAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEDRHUQOTGTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQKCIPYABOUMTIS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWKKLGELHXKRB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAJXTQBVIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFKRDDRWOWKVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUHLHFVTKKMHADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORGAXGPFLCTKJUR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\GOFXPLGWPBQAPQO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JETYRHRLJMYCHVU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\NHRYIFPJKTWXJKH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HAPHQNHCCRSPYKQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAIARJFAQKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\IPTFDHCKVWSQSIW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJWWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCQGTPNSFSUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJBHOXANTLSHRH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\RNMGQXHEOIJSVWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXCEUR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\XUTXLBOKIYXNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUKECJSIOFWNCMC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DFAAVQELGKYHTPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVTWHMREBQYQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\YDNLKOBFBPVNEDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRXTJWENE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\EYDOLKOBFBPVNEE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRAYTJXEN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFOFXPLGWPAQAPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLYBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\OKKWTQUPXMNAFMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHHIDBIEUHOJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWANDRNLQCPRMFJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLQIQEPFB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPCYJEJYWGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQUSUGKPDAPXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\OQLJMBPWFRVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIETXJKHPCINAD\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2532	reg.exe
1300	reg.exe
2816	reg.exe
2864	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2700	service.exe
Token: SeCreateTokenPrivilege	2700	service.exe
Token: SeAssignPrimaryTokenPrivilege	2700	service.exe
Token: SeLockMemoryPrivilege	2700	service.exe
Token: SeIncreaseQuotaPrivilege	2700	service.exe
Token: SeMachineAccountPrivilege	2700	service.exe
Token: SeTcbPrivilege	2700	service.exe
Token: SeSecurityPrivilege	2700	service.exe
Token: SeTakeOwnershipPrivilege	2700	service.exe
Token: SeLoadDriverPrivilege	2700	service.exe
Token: SeSystemProfilePrivilege	2700	service.exe
Token: SeSystemtimePrivilege	2700	service.exe
Token: SeProfSingleProcessPrivilege	2700	service.exe
Token: SeIncBasePriorityPrivilege	2700	service.exe
Token: SeCreatePagefilePrivilege	2700	service.exe
Token: SeCreatePermanentPrivilege	2700	service.exe
Token: SeBackupPrivilege	2700	service.exe
Token: SeRestorePrivilege	2700	service.exe
Token: SeShutdownPrivilege	2700	service.exe
Token: SeDebugPrivilege	2700	service.exe
Token: SeAuditPrivilege	2700	service.exe
Token: SeSystemEnvironmentPrivilege	2700	service.exe
Token: SeChangeNotifyPrivilege	2700	service.exe
Token: SeRemoteShutdownPrivilege	2700	service.exe
Token: SeUndockPrivilege	2700	service.exe
Token: SeSyncAgentPrivilege	2700	service.exe
Token: SeEnableDelegationPrivilege	2700	service.exe
Token: SeManageVolumePrivilege	2700	service.exe
Token: SeImpersonatePrivilege	2700	service.exe
Token: SeCreateGlobalPrivilege	2700	service.exe
Token: 31	2700	service.exe
Token: 32	2700	service.exe
Token: 33	2700	service.exe
Token: 34	2700	service.exe
Token: 35	2700	service.exe

Suspicious use of SetWindowsHookEx 63 IoCs

pid	Process
2032	35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe
2712	service.exe
2996	service.exe
2788	service.exe
1940	service.exe
1872	service.exe
1712	service.exe
1296	service.exe
2304	service.exe
1532	service.exe
1744	service.exe
1932	service.exe
2996	service.exe
2788	service.exe
2676	service.exe
1528	service.exe
1284	service.exe
1580	service.exe
880	service.exe
2892	service.exe
532	service.exe
872	service.exe
2476	service.exe
2956	service.exe
2392	service.exe
688	service.exe
892	service.exe
1104	service.exe
2576	service.exe
2704	service.exe
2816	service.exe
1440	service.exe
1980	service.exe
2776	service.exe
2364	service.exe
1216	service.exe
1452	service.exe
1420	service.exe
880	service.exe
2892	service.exe
2800	service.exe
1924	service.exe
1072	service.exe
2900	service.exe
844	service.exe
744	service.exe
544	service.exe
1496	service.exe
1968	service.exe
936	service.exe
1892	service.exe
2244	service.exe
1920	service.exe
2188	service.exe
1144	service.exe
688	service.exe
1976	service.exe
884	service.exe
1448	service.exe
2740	service.exe
2700	service.exe
2700	service.exe
2700	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2624	2032	35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe	28
PID 2032 wrote to memory of 2624	2032	35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe	28
PID 2032 wrote to memory of 2624	2032	35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe	28
PID 2032 wrote to memory of 2624	2032	35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe	28
PID 2624 wrote to memory of 2560	2624	cmd.exe	30
PID 2624 wrote to memory of 2560	2624	cmd.exe	30
PID 2624 wrote to memory of 2560	2624	cmd.exe	30
PID 2624 wrote to memory of 2560	2624	cmd.exe	30
PID 2032 wrote to memory of 2712	2032	35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe	31
PID 2032 wrote to memory of 2712	2032	35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe	31
PID 2032 wrote to memory of 2712	2032	35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe	31
PID 2032 wrote to memory of 2712	2032	35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe	31
PID 2712 wrote to memory of 2436	2712	service.exe	32
PID 2712 wrote to memory of 2436	2712	service.exe	32
PID 2712 wrote to memory of 2436	2712	service.exe	32
PID 2712 wrote to memory of 2436	2712	service.exe	32
PID 2436 wrote to memory of 1968	2436	cmd.exe	34
PID 2436 wrote to memory of 1968	2436	cmd.exe	34
PID 2436 wrote to memory of 1968	2436	cmd.exe	34
PID 2436 wrote to memory of 1968	2436	cmd.exe	34
PID 2712 wrote to memory of 2996	2712	service.exe	35
PID 2712 wrote to memory of 2996	2712	service.exe	35
PID 2712 wrote to memory of 2996	2712	service.exe	35
PID 2712 wrote to memory of 2996	2712	service.exe	35
PID 2996 wrote to memory of 1400	2996	service.exe	36
PID 2996 wrote to memory of 1400	2996	service.exe	36
PID 2996 wrote to memory of 1400	2996	service.exe	36
PID 2996 wrote to memory of 1400	2996	service.exe	36
PID 1400 wrote to memory of 684	1400	cmd.exe	38
PID 1400 wrote to memory of 684	1400	cmd.exe	38
PID 1400 wrote to memory of 684	1400	cmd.exe	38
PID 1400 wrote to memory of 684	1400	cmd.exe	38
PID 2996 wrote to memory of 2788	2996	service.exe	39
PID 2996 wrote to memory of 2788	2996	service.exe	39
PID 2996 wrote to memory of 2788	2996	service.exe	39
PID 2996 wrote to memory of 2788	2996	service.exe	39
PID 2788 wrote to memory of 1608	2788	service.exe	40
PID 2788 wrote to memory of 1608	2788	service.exe	40
PID 2788 wrote to memory of 1608	2788	service.exe	40
PID 2788 wrote to memory of 1608	2788	service.exe	40
PID 1608 wrote to memory of 1936	1608	cmd.exe	42
PID 1608 wrote to memory of 1936	1608	cmd.exe	42
PID 1608 wrote to memory of 1936	1608	cmd.exe	42
PID 1608 wrote to memory of 1936	1608	cmd.exe	42
PID 2788 wrote to memory of 1940	2788	service.exe	43
PID 2788 wrote to memory of 1940	2788	service.exe	43
PID 2788 wrote to memory of 1940	2788	service.exe	43
PID 2788 wrote to memory of 1940	2788	service.exe	43
PID 1940 wrote to memory of 1748	1940	service.exe	44
PID 1940 wrote to memory of 1748	1940	service.exe	44
PID 1940 wrote to memory of 1748	1940	service.exe	44
PID 1940 wrote to memory of 1748	1940	service.exe	44
PID 1748 wrote to memory of 1864	1748	cmd.exe	46
PID 1748 wrote to memory of 1864	1748	cmd.exe	46
PID 1748 wrote to memory of 1864	1748	cmd.exe	46
PID 1748 wrote to memory of 1864	1748	cmd.exe	46
PID 1940 wrote to memory of 1872	1940	service.exe	47
PID 1940 wrote to memory of 1872	1940	service.exe	47
PID 1940 wrote to memory of 1872	1940	service.exe	47
PID 1940 wrote to memory of 1872	1940	service.exe	47
PID 1872 wrote to memory of 2284	1872	service.exe	48
PID 1872 wrote to memory of 2284	1872	service.exe	48
PID 1872 wrote to memory of 2284	1872	service.exe	48
PID 1872 wrote to memory of 2284	1872	service.exe	48

C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe
"C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempQCINA.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NHRYIFPJKTWXJKH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2560
- C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe
  "C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSTPNPFTAJAU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe
    "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1400
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:684
  - - C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe
      "C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJACDR.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1608
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUWKWHGKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:1936
    - - C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAJXFT.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PNMQDHDBRXPGFHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:1864
      - C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGHENF.bat" "
        7⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYFOXVGCNGHXQTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGBHVD.bat" "
        8⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EYDOLKOBFBPVNEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTYKIM.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TKUQLUFVAFUVSCN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYL\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYL\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIACQM.bat" "
        10⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIVGEJWXAKQXX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBPYLK.bat" "
        11⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXTHTFDHVWJOVWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
        12⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEQWMKOJRFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKAOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVGHFN.bat" "
        14⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYVGCNGHXQT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJSOWN.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GKYHHTPNRMUIKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJGPBH.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNMGQXHEOIJSVWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLPQVB.bat" "
        17⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMVHNS.bat" "
        18⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEVNJEUOPYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "
        19⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCPAXDVUQREJR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "
        20⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIARJFAQKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOXTSH.bat" "
        21⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMAMXUASWRNPBHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLGPYWHDOHIYRUW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDMDXB.bat" "
        24⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IPTFDHCKVWSQSIW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKSB\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKSB\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRRCWV.bat" "
        26⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNSPDPAXDVUQSEK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCUYTQ.bat" "
        27⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XKMHFIXLSBNRCOW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMWRFC.bat" "
        28⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPGTPNSESUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNWIOT.bat" "
        29⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFOFXPLGWPAQAPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVRRGP.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKKWTQUPXMNAFMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe" /f
        31⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDGHRM.bat" "
        31⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXLBOKIYXNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYGPGD.bat" "
        32⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WIFJEMBYCUSBCVK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
        33⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe" /f
        34⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXWSST.bat" "
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJHKNUEPUERCAF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe" /f
        35⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVIKFDGVJQLPAMY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXMIQI.bat" "
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYJHLGODEWUDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAEUVSB\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAEUVSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAEUVSB\service.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "
        37⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DFAAVQELGKYHTPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe" /f
        38⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUHLHFVTKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe" /f
        39⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe"
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
        39⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQRNLNDQYHSXH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe" /f
        40⤵
        Adds Run key to start application
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "
        40⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMGQXHEOIJSVWIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe" /f
        41⤵
        Adds Run key to start application
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe"
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPVLJN.bat" "
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAWHXCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe" /f
        42⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "
        42⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERIVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe" /f
        43⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPPYAT.bat" "
        43⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMANYVBTXSOPCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe" /f
        44⤵
        Adds Run key to start application
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYXTTU.bat" "
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKILAOVFQVFSDBG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe" /f
        45⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEOKYX.bat" "
        45⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SQUIMHFWUKKMHAD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJAU\service.exe" /f
        46⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJAU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJAU\service.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDMDXB.bat" "
        46⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IOTFDHCJVWRQSIV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe" /f
        47⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWIOTF.bat" "
        47⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GOFXPLGWPBQAPQO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe" /f
        48⤵
        Adds Run key to start application
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOULJN.bat" "
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ULAVRMVGWBGVWTD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAM\service.exe" /f
        49⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAM\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAM\service.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
        49⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MTXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe" /f
        50⤵
        Adds Run key to start application
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMNXTA.bat" "
        50⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDRHUQOTGTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOUMTIS\service.exe" /f
        51⤵
        Adds Run key to start application
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOUMTIS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOUMTIS\service.exe"
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMIQHF.bat" "
        51⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MTXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSCJTPKFEUVSBB\service.exe" /f
        52⤵
        Adds Run key to start application
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\KCSCJTPKFEUVSBB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KCSCJTPKFEUVSBB\service.exe"
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGYXUU.bat" "
        52⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJMBPWFRVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe" /f
        53⤵
        Adds Run key to start application
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCAJXF.bat" "
        53⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPNLQDHCARWPFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe" /f
        54⤵
        Adds Run key to start application
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe"
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMWSFC.bat" "
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCQGTPNSFSUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe" /f
        55⤵
        Adds Run key to start application
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe"
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKXIGL.bat" "
        55⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DAEHTUPNQFTBKBV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe" /f
        56⤵
        Adds Run key to start application
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEHISO.bat" "
        56⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWUYMCPLJYOBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe" /f
        57⤵
        Adds Run key to start application
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe"
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
        57⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDDFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe" /f
        58⤵
        Adds Run key to start application
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
        58⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJFDFVIQKPMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe" /f
        59⤵
        Adds Run key to start application
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "
        59⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLQCPRMFJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f
        60⤵
        Adds Run key to start application
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAHVDR.bat" "
        60⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YDNLKOBFBPVNEDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe" /f
        61⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe"
        60⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe
        61⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        62⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        63⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe:*:Enabled:Windows Messanger" /f
        62⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe:*:Enabled:Windows Messanger" /f
        63⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        62⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        63⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        62⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        63⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAHVDR.bat

Filesize
163B

MD5
67268169a450d00a136aeb8064928cf6

SHA1
2ff1c026bb20b5f389c3be97e1d371ffa9fda84c

SHA256
fa60dc9662fd2feb711d924c44f9a5b09b975c5d5694037ffb38aaeaf25555ae

SHA512
43ede016de0bad1a5cf6c85bee13503e7ba215de4e3e9e38a0b2015b0a318984a460500da0946727ecc94d188ac7365f2a120ba15c1d62e986ae4ea8718c3466

Download Submit
C:\Users\Admin\AppData\Local\TempAJXFT.bat

Filesize
163B

MD5
a30167e31c01f85d6c92a66e4a1e7a45

SHA1
e6827711f8963253c69d0bbb93b1cdf6a9a6fc33

SHA256
2193d0aa846a104c72d63655057f9e3e8d2db56f6fef38704c962da0420eb015

SHA512
c06abd285482f11a340756bb44fc90dc258062b4bda20625c561e4b2c5013300fbd2a7cb643dc7888c33547db25e132e34863d67a1bbb3a27d19949b18cc5d3d

Download Submit
C:\Users\Admin\AppData\Local\TempBPYLK.bat

Filesize
163B

MD5
a10f7849903f762fe4fa5132e5c47f3d

SHA1
27d9b61d92991d2ca2c120be1b4a6f071f8a240e

SHA256
03b747a65a1f1813551874b2f4e6133dbac1efd8bba28abbbe874d38199286ed

SHA512
4d922b5fe3e2e3a385bd7cc7e9b21ac489e9eaf1e9fac1b3675804cca68bfc6f9ca37a7f7726d19956d0337abdd44de758e338356d07fd4bcdd27e8ca23a92cf

Download Submit
C:\Users\Admin\AppData\Local\TempCAJXF.bat

Filesize
163B

MD5
dd9b85c1af6e757ed070222ec926d5fa

SHA1
3a3315571ea00bc351bcb25f1771fb38de381a6c

SHA256
cc1528e64456e553119a25e753b1f1bf04ff3006b4c32805d0607193f2a840ec

SHA512
c7f1f4c75a3211f0a023c7a8a5040415545a676b7b183a4814de9f7b305809285fcdf789f27f3f9a0b7b139ccd488eb17bf3a7183e32e084f1310488dd8038a3

Download Submit
C:\Users\Admin\AppData\Local\TempCUYTQ.bat

Filesize
163B

MD5
b643d0a270af101a499759dcdbd0c158

SHA1
322b05844e3c68bf26a948bef889376bf098599a

SHA256
c223e954ca44188c8423f4b8043401d93fe8d5c4020d194ee8b4c89bed33c671

SHA512
73486fb470f3e99b5a402eb148b9adcc44899218f545ef4e5d03f8f191739e68affcf33c8f311384f31859416764baea4c6712d7814d78dabc7c6380abfe98be

Download Submit
C:\Users\Admin\AppData\Local\TempDGHQM.bat

Filesize
163B

MD5
0b57c15fd2f954e4c0ead7c5b4f07712

SHA1
5b73040f77d43fda38413a933725a8c217d927e1

SHA256
0306c67f59bc629b07b635cd19ab7b7393149afac18b8ff119b1c84fb1ba32cc

SHA512
0cc8ab2799c04ad5ee51a7058b5eb3d01e231440f737c2695fd43ae466635ea4d7eb0c7d27d3e4d43076cf8d2c7b266e0486ee0d7e097ed236c27de5749807c4

Download Submit
C:\Users\Admin\AppData\Local\TempDGHRM.bat

Filesize
163B

MD5
0249cdd5fec49f655d0544e0408066b0

SHA1
e4570b515d8315dd7c7ae990fed0e0531d9f6717

SHA256
770e28d52596e72f3cc06bf58ba8b7055cc4a67e4015ffe5cdc92249d62a134f

SHA512
135aa6d91b2347882a50de341f8e7067958b94332342af2c68f5ed31d02d4689d34b014385b9ca6bcac26db030f6fe9601ec421f0ad028c04d66b8056e85573b

Download Submit
C:\Users\Admin\AppData\Local\TempDMDXB.bat

Filesize
163B

MD5
f4bcee1dd00530f989ef44bc06d800ea

SHA1
96efeccae00723e1510681acd4ca9812ecf34070

SHA256
a3f12075725eb1e4f59ac358217eb8abf0bf93321ddf9c5302f7c072749460c2

SHA512
8376bb982210ccc7ecbf4ad36aa46c841c98834751f76b1395e04d5f7a2c9f1d23097aeec3842e7dc106efa3ffcab08a8c74023b7a42817ea3f9dd590f137c65

Download Submit
C:\Users\Admin\AppData\Local\TempDMDXB.bat

Filesize
163B

MD5
86d46b22ad4be83bae4400be75994f3a

SHA1
36833b490ee0da163a18b8135947a608c5076df1

SHA256
d0fc60d20c3b5a2910e4cb3c545f042d32e5d3c350a755fcd5edaf687fed6f4b

SHA512
384347bb010665ee7325babd297f3cce0756a88ec3019dff2f6521f70e873416b56cd773034c5f91e3913462ba5fc03cd0905712021e20b67e423f159f709328

Download Submit
C:\Users\Admin\AppData\Local\TempEHISO.bat

Filesize
163B

MD5
817581e4cfe28bab2be4f4b73f7ab372

SHA1
ae99ec7f67ac23fae736086d22defc4434e1b7af

SHA256
e516494166781a16fa09d61ab2d51fc1b2205c7ad04f4c0b58cdb160915a8b59

SHA512
f74af482a46e730970d30bb87096b69d1e0c9409a51ac6ba0cdebc973e088aa43c67992460e076bfd0c12374b267e2515eb2f62435727e0ab1c5d82da02db39d

Download Submit
C:\Users\Admin\AppData\Local\TempEOKYX.bat

Filesize
163B

MD5
13fc67cd31ffeff8ff68bcb3338f3759

SHA1
c8deca1940e43b5e3ece21d56196eeb6e765b671

SHA256
086ba7ec0ac1b7daa0b72a2247f392c20244eb218562f4894dd0afca268fed4a

SHA512
d26880b67eaf33300b4b62533af01a80efe00bb233ae3edcd6068d8548cddd4a13a4c85af9fa404307126776b22bde1dee871c49143ab07af6bbd1e4066c81ae

Download Submit
C:\Users\Admin\AppData\Local\TempGBHVD.bat

Filesize
163B

MD5
eef7357c045170887b4993762e5dd5cf

SHA1
21031e1a02aa4160baff2c33dcb5e923facf65f7

SHA256
86bab36c4455d62e74523fa3fff5943930a38b858fa9043df93eb6906a01999b

SHA512
be86486ed0ec7459c6306edf10196a647aebb0e46f453d001b0838c064e9e233f16dd4532e79840365f2051110335a11ef60b0f22a5d97fd9f17804050a297fd

Download Submit
C:\Users\Admin\AppData\Local\TempGHENF.bat

Filesize
163B

MD5
589436d2282c919a7471972002f0b1d7

SHA1
ccd1af9490b3201fb03e8ca72c3b036bb889065b

SHA256
658d9b4f290c38e30eb6b599cd21aa76a16ad64d5694e1543f8c5c6d8f5fe1e9

SHA512
1d9e52be33fa2208e76082b4146853ff33877ba956e9fe77263b6093381ee836d052196d6f3899750e5553c94fddf2e1a7c32db5b098fe1dce9b694ee6b809de

Download Submit
C:\Users\Admin\AppData\Local\TempGPBHM.bat

Filesize
163B

MD5
acab14ba87bf9ddb2147ace156e97372

SHA1
6e0cf4c039c56b02039ac63b61028dfc21b416e5

SHA256
5f4492ded316fb712b9a15073e74b254b12d79c6b08846dd6fa29422c6197ed2

SHA512
b55629884b3b98d998c7c1761d43e6c01d3aa45a43580e8d8f32044394aa0185722515393e370153c7c01170aaebfa0c2e2170beb804f186d271a21804100188

Download Submit
C:\Users\Admin\AppData\Local\TempGUCQP.bat

Filesize
163B

MD5
9d8c823aa9d6fc3f009d667a0b5c2aeb

SHA1
9cc26bc83d1c543b737c4880b73e40a6ed254bce

SHA256
980325fa121f72202cbd9a4e320dd85478d002b45842c3b39d504bf7b72d9ca4

SHA512
66b0ec285297046e694cc6889ad4402bbe9d18677b40a25dcec92f363dc1f6ad46bd49033204d1a182f69d2cc8d12120e7bcc02c1c394da8a56a932082b54c42

Download Submit
C:\Users\Admin\AppData\Local\TempGYXUU.bat

Filesize
163B

MD5
580b41089b57db8a6c700604e3950814

SHA1
ad40f4de6e646bfbb845bed835dccf60c30c2c9e

SHA256
0ab38778cc72a8cec5b9954bb5043c04da77550a00e508919f5b41208e892e44

SHA512
28f72cac31fa657b415f221e2bd06bab74324484cee1cce39cfe05d681dc4afba69ca801521b575943473534103c924ec996b1e8ea5d9bf3762ae607751bad0d

Download Submit
C:\Users\Admin\AppData\Local\TempHIFOA.bat

Filesize
163B

MD5
cdfa77971a1f9127b97660a76d4fb58e

SHA1
875b079728e19436dd88625936b1006a4ad03e07

SHA256
b299f4cb54fcd5fc0b66cd58f10dd34a3edbc01e542cb6ae3f8e2e23cf29c2e4

SHA512
74fc432277874fadebdfbc3ce5e2c2b299fb4eefdcd9fb971664eef39fdf29e5e4fd5f6c1befe62065a5a4827cf0d99f33336da413343e1e1e9dcf01702037a8

Download Submit
C:\Users\Admin\AppData\Local\TempIACQM.bat

Filesize
163B

MD5
9fe31522e32686d96aa4b7f746e43622

SHA1
eb58bb76f771b5113e0cd148c3f708dd5544bb28

SHA256
3409ec305bc11e703108de450fd3ecb5593ddaeef8f099d0ea7d065310c19a6e

SHA512
6966491fbbbb745f6d21cfc8a8717902cab3e448009722c51984162e202e6feda31d5dd4f0211bf5bfdebedc20a1135b24af227d2788ccf3342953cfb98c5a47

Download Submit
C:\Users\Admin\AppData\Local\TempJACDR.bat

Filesize
163B

MD5
207c5e2e589fb20b3290f4adb1e585e5

SHA1
7fef3e2e35d9e04b7e2841eca3b3fd3b740d2903

SHA256
98139c5f13002d6873a1eceb5caa23ae8e4d32856baf9a3ac9a3b60b9fd7bfc1

SHA512
7cdd023c660d4aeb15864141dc0b8e82a8c58b4cd1c15252e11999ef5596b14232238898fdf1b1e1cae084727c68993d40d82ca3055bc55b4e44846a5c72fafb

Download Submit
C:\Users\Admin\AppData\Local\TempJGPBH.bat

Filesize
163B

MD5
ed6b9ff4ddc912cb5e4b9dea8b4eab46

SHA1
76088644ad856ef052be0511a66e55227937c96d

SHA256
42ce7a5e9fae45e628311783ba8bc11feb7f136b32a116f89935b46b64bd87e3

SHA512
52f394838fe2bf38eb858f9686a58545c6e9f9911c00c9271b42e19146a996be895646c260138790de95199d044a67fe418efb24e9113ae55ee7e4fbe6d9b175

Download Submit
C:\Users\Admin\AppData\Local\TempJSOWN.bat

Filesize
163B

MD5
d39cccc913240baa6efa209416c54650

SHA1
a80a7efbabf2efeb182cf64e9f19153c475cf2b1

SHA256
305e94792baf3df0a537a78527dd659f5359f28291242e09928d6c78f916f545

SHA512
c951547be1a48011283fa7bfcb0dbadc01e21b377b1fd1fab96f61c4ef692544fcbfa87f5d981221e6a8c7e2520dc87ba269c8cd8532e833df6d5a5df047f5c5

Download Submit
C:\Users\Admin\AppData\Local\TempKTPCO.bat

Filesize
163B

MD5
e19b90bfba2c69d2c21ac3776c877917

SHA1
85d70a13fc6e4842be8e175522d24be6bd879a9e

SHA256
f26d0a66680e921a772d938e06bdbf148c6c8cf1d28d0e2d6f33b202f4fd55c5

SHA512
3473e5d438d56038f4cde527e74c8ea478621af9702f4e6f18d1041f45da675dbece582c6157a46fe76c79a6445d3f8833830ea6d2e717263cccbb563b90b46f

Download Submit
C:\Users\Admin\AppData\Local\TempKWHGK.bat

Filesize
163B

MD5
26dc1b311a85668f400d2ca6a520c43a

SHA1
c3c32cf0a9c2e34e642a96a8fb02ae33dfaab962

SHA256
64bf4db157623c7c3b5793e1979cb2802dca2e64c99cf9cf1a1a89b8e8d262a8

SHA512
3a60c95a339cdb4477938255a03af444969d2574bd3ae341f0b61524a1a435673185ad385f46acc758f01ff1e6df4258040a0725314a263db7f353ff7fbb0107

Download Submit
C:\Users\Admin\AppData\Local\TempKXIGL.bat

Filesize
163B

MD5
ab03218c7bc1990e61ce6d03bd6b272b

SHA1
9eef00ec9f1e78c08fdc054d860c351f31030a07

SHA256
5d861be2c28e0c100dcaf688357b1541f2cdd40e62921da3528ec2fde5a4ddf4

SHA512
46298481ed75c80951bfeffdcd2bf2222fff93f9643e90dedf70a0df8ddd921719995ad65ed352fbfe9b59ebaac3a9f990355b1897da94d25ebbe36ddd70c3ac

Download Submit
C:\Users\Admin\AppData\Local\TempLIRDJ.bat

Filesize
163B

MD5
fd2e1ac873abdcf75d414027ffc438af

SHA1
031fc7c7a45c88e0122241cbb6d2d8f5be1a12be

SHA256
397ccbb85835159e8a38e447cc96082365901a66ed882919641a6c6f114c60cb

SHA512
9565732efe62cca6179aa42fd6c403ca1b333a63c2cda04478a9589fa67b48efd2369961ab01fc7fc8710f078a52f402d621772650e1eb185816adbfc327d4b9

Download Submit
C:\Users\Admin\AppData\Local\TempLPQVB.bat

Filesize
163B

MD5
0b5902a513078dce612bdb0904f70d14

SHA1
96280bd49e5a5305afd1e9564f063b95218562e6

SHA256
e1a1bdbf6313d19210601de717b5f513cae9cf90ccfb50ba9e06b6627b20bae4

SHA512
76067c4641dd3e186b1cbf0f8c969fd58a38b5b72f444ba6c1be91e0b1d9d2dacaab831691e972d1fda45e9546469f6400ed3d2814d2435fb91b838e6ac6095f

Download Submit
C:\Users\Admin\AppData\Local\TempMHQHF.bat

Filesize
163B

MD5
7ab00c2d0ec3d74d552ef677edafa12d

SHA1
9f553e5d98a60c4e079c57b27d9545066605e02f

SHA256
898f879244a352030d694967feced2116a26e20ed258ec21ec23df4afaacfdc5

SHA512
23c9e91b67f5f3868d16d43fa5d3271f945ac0c48dfe77ca6aea7e0b24832a86e8b8da26647b200b25e1cf6445f75802bbd33566e25eef9ed5c86e9949f8a9e3

Download Submit
C:\Users\Admin\AppData\Local\TempMHQHF.bat

Filesize
163B

MD5
5a25b81aed74b167ea51919cf873d2fc

SHA1
56b2f2e5184300b74b0e947721dd445ab94b5fc1

SHA256
c94980ad5bb0ce23cd44cd7ec3580a7fc7f4104201304ab657e3506921f5c05d

SHA512
a96b1a46f7957df8ea087efaaf0fbb2b6045df6b371cd56e5b4f475e0c0adfbc2c3dfb3d2fc85041202874bc4a58d6e28eb98f8dd08ea2203dc1cda217d3f0b1

Download Submit
C:\Users\Admin\AppData\Local\TempMIQHF.bat

Filesize
163B

MD5
b1d806a91b70ca83c060d89048cdb273

SHA1
0865d2932c37142a30971e2d143e1e5c74657934

SHA256
cf11fc51fe8d86044f4c0023027a0608655684e11db86884295c0427ab5a3b81

SHA512
ba3ea12c4bc3857bf241eeda86de6cb6d45f9820e84fa90e6b89be5f2257800779414dadf34ac6709590a437d1ed79bb69459614646822f29b72152af656f7ba

Download Submit
C:\Users\Admin\AppData\Local\TempMNXTA.bat

Filesize
163B

MD5
b5f1dbdd61899b01889ca36394bfbcd0

SHA1
b7d45fdbf9502664c05df2c24fff6e7c9dfa8550

SHA256
e4dd63554ef451959bd56b71673a60f004decfcc5a7270cf39832964288cfc45

SHA512
8c8472ce9959299f4878a84ef0d667f0efd367fdb40e90da3e1f651cfadd0477a4bd0f906dff1ddf1b1a6b3207623bac0b4a9b6d48e81a6764a7200851158458

Download Submit
C:\Users\Admin\AppData\Local\TempMVHNS.bat

Filesize
163B

MD5
3c9866df0081bf211407a2e5ef5b956b

SHA1
27c071f2ffd32e19eab77cf1f14bd73d7380fce4

SHA256
7e0d3b53ef1eff61a0dda5f24bc00c980c12eed99c2087f11286e06c96cae586

SHA512
ef5aee8c438ded5dd4c03ef16c951f8c86eeb7ad0d19ded0db1247ff26c7f09d610325e4c51a353a1958613054230d08d287081065c71ee616856acbe1f612ec

Download Submit
C:\Users\Admin\AppData\Local\TempMWRFC.bat

Filesize
163B

MD5
8ef398f10eb3af1865b8ec58c18aa300

SHA1
888e18364349d6e9cbcffb02a5b1a7850e11b659

SHA256
51c32cb3454514cc43944ed14e7dd22eb408737eef7ccf8e2196ad5494895278

SHA512
744b2b7be22dd6115ec3608fc8d940e3489f606d1365374c65b7268acfdf3cf418455ac12cde71a3d7a729b1b9c7cf703caa1c5223c7bd79fc3c6d1974b23ff8

Download Submit
C:\Users\Admin\AppData\Local\TempMWSFC.bat

Filesize
163B

MD5
d436191c50229e232e217c85c462aa77

SHA1
b2aa8f91e2a09897c42675400e041b62bf538101

SHA256
9ffcad743b0bbc3436f3b164eeb4a24245c1cbc77f61b527e918a3d31e2485a6

SHA512
12a6358d4d810873c33b140f50c7ae47ea0eba0d9ce26c3b37b8a24a52c1c06d2b68aeaed032fde2fee3fa4e836baca9e144d9b56062ee1ee7733718dacac5ce

Download Submit
C:\Users\Admin\AppData\Local\TempNJXWI.bat

Filesize
163B

MD5
f3b8ddc4d4fad0bc32f84eac08e8b5bf

SHA1
e01268ff601b676b24a9523067c804a7acd5685e

SHA256
645541f0f595c8bd565536eac2333a00019fdb7cb74fe9ffa313dc4c64ed881b

SHA512
d0ca064e5ade826aa3a5e80f30dab95565ff2e7ed104edbdd2e036412559cc78c9ef5090705e95f079c0ad6bee1386f5a4beb75b2b5bed282dee5762a27ef865

Download Submit
C:\Users\Admin\AppData\Local\TempNOXTA.bat

Filesize
163B

MD5
4febd0c69ee4be6773ca67e0e845b982

SHA1
176496a4a3d6cb0371deeba7367c63d290169c9d

SHA256
0a869712ea250aa0f1512fd5feef21044ff2b2b78bf1173adfac70039415706c

SHA512
f3574c2afeb12abc3fc528fa09e2786e4e3b41dc0aea0e351df3f5005536981e947753df9c3de78e06a6f9892d34cd7c33cf404ea5a1bdd205936fcad310049a

Download Submit
C:\Users\Admin\AppData\Local\TempNWIOT.bat

Filesize
163B

MD5
3fa377d490e135358ff8715b7130b57c

SHA1
90826df37fef897b8d9b2a225d23b581e87e5e71

SHA256
07652d1b9830b4d5d201dd0a67c88e979c0a47fa940c7cb638286e51b638b7f0

SHA512
cb99c54fc5345e204f70433c41f232e80d8893ee4447f152781f9b7a07b24319ccc47805fc35669ed599fbdce7c0c58ddd70bd6b3b0878716368f0bee0c1b61d

Download Submit
C:\Users\Admin\AppData\Local\TempOMQLT.bat

Filesize
163B

MD5
9b8ddcb8a03dda0db854de76f0b97656

SHA1
33e6cf7b482d51ef46095957b6c7757aeaf3fe6a

SHA256
4e81ba1a0b8e70dbfa0c5b77c2b2ba7e2a1e1842ddab305960de4d3f8422a368

SHA512
967d33476d233c9f45d452247268ac5c03eeb104330a885bf6bfaf9143c19a67680ec766122a884aefeaf6375d2b9c4959cb7458ebca18443b5610a2a8223840

Download Submit
C:\Users\Admin\AppData\Local\TempOULJN.bat

Filesize
163B

MD5
1031de00fb12877ca1ea3a3c30e9c1d8

SHA1
9d7f12c6855696eef7c341525b06b4b3ed3a55eb

SHA256
bd33a9c2689e3f7798a532cb2d7212a91bf702112aad1bd0785cf1fb5139a6e4

SHA512
144624c0fa8a42299345c68fe6f8fcf9e4a74dcab009d69039fc24d12c22a35484bf5f28d270bc50eb15351e99c16c9d3376fd27d3b6a5b9e632a06dad9ef2db

Download Submit
C:\Users\Admin\AppData\Local\TempOXTSH.bat

Filesize
163B

MD5
f7bfb453faab979096f675bbba881d5e

SHA1
0018fd00202db197fd7efdb7d17749bae0f863f8

SHA256
282a1d54c280c2510264d7957caa67f6eb563107017bded592a55c3d5fcb6a15

SHA512
be71e8a29234d0de31003c30af92dac7986d192c5a41197c7b6159f4428bb94be89ac777e15322e8d7e11930dc7adfd24fd2ce001884599113a8149f5f87f7e0

Download Submit
C:\Users\Admin\AppData\Local\TempPPYAT.bat

Filesize
163B

MD5
8017c40b3b87f358920ddc3a7822801d

SHA1
d1707ebb4875777b38e09531e15d0cc1bb133731

SHA256
ae1c8c15c6aa20d60fc888d7e2067bfcee9d767bfe85da8c6922e998f4c2ed5a

SHA512
b9f5f59b6d2d8e5250737c461625785dd78e697c9abf87e5f94751aa0f07e1f62fca270c00202ec6af2b18afc052de611eba4cd126b5ce78c913b0d518ca9354

Download Submit
C:\Users\Admin\AppData\Local\TempPVLJN.bat

Filesize
163B

MD5
577f5996f783f890ba33c6040c10977c

SHA1
d1915aefdd08072f2e106d8b9542286c8a5fa759

SHA256
d08343b6b8202d4a4277e3a76d5aa1eccaf3280293107211fcd647cfc318679f

SHA512
a60567082ad8f9ba8e96752f664c270dac82056d1fc05720b3b9854994b19a1d2b2ac47a707140799a24ba08acd1f4e096821228f167c29855b111df26e4db1e

Download Submit
C:\Users\Admin\AppData\Local\TempQBUUJ.bat

Filesize
163B

MD5
373e3e79d33ab24a63920df75aadedac

SHA1
025ca3368b01e37d1e2f466a1612d6be164af035

SHA256
559746d47a9aab1f4b5e26da733afce2275997ff8470bc178f65d8865bd4ef52

SHA512
33af5673baf8114720e31fc265dbbf6f3331709e0e9608acf90ab02f67e90c8dc57a860d19be1b5ad0716fd2c43e7739c2c70569122c009c42a6ea9e9d4d48b8

Download Submit
C:\Users\Admin\AppData\Local\TempQBUUJ.bat

Filesize
163B

MD5
6b22f9a52b2074c541d9fdb9568d82ec

SHA1
0ca1a1050df5be325decf699718c1c9ac037596b

SHA256
7e2f886fff4ca79f00e82433820ef385513659e190c15595c09b0efc3b35d806

SHA512
e9a9ece7080be7b19eacca0b9990ce5f1f629d0a6b448bae8c9ce2ee8a0f5b4e0fb8fc8e7bc7022339a678b8837296487f7def6f75e7fb730d06b9b9f6efe9cd

Download Submit
C:\Users\Admin\AppData\Local\TempQCINA.bat

Filesize
163B

MD5
132ee7f892bcd0d0e5b996711fd34cd2

SHA1
d76384e799dad01ca934cef98f2ecfb4ce20a5f5

SHA256
482366c7c38bca8a31cac2fe83c84e6269a84043eaf665885e58b84ac9a365c5

SHA512
3844b6dda104bc3f012b4f21874aa8efb315409f592d8a4fe977de6ee26123b4119eabc3fcac3911f712103a63f5a3991eacfe6090a49d6f46516db182d33343

Download Submit
C:\Users\Admin\AppData\Local\TempRCVVK.bat

Filesize
163B

MD5
1b8a00edd0fc407d3403cb505dbd5f65

SHA1
01e6613e2bf660ccd6a0c976b7ca8a7abaa54fc2

SHA256
e11c26837d37df3c197fa7828924cc2ba298fda359ecef1db90c23f8f2503a5a

SHA512
b63261cbc40fb7e5cb957f9417b78e8857ea5fb57c49aa98421737892626ccec8cf51426500e88e942be731c5fc8eb48b533e7c962081aa0c049923c31688f4a

Download Submit
C:\Users\Admin\AppData\Local\TempRMUIJ.bat

Filesize
163B

MD5
759a614ace0e3352f7d48e1e47c9c016

SHA1
3f96be3a19dde37ff44f0630880feeca3c6a2fd3

SHA256
7af5d185d2338b34d83e10d849f5424ff517bbd2a1947f15952e8b346020be89

SHA512
6a145c0ba87f9a98d69c68bb1f6f16eb85e1f10019e75241fe3ca77010cae4ec4fadc6625b11a8725a0f7c48a0df57062adf01f74ea5156bbf5fb76e83e8c4d4

Download Submit
C:\Users\Admin\AppData\Local\TempRRCWV.bat

Filesize
163B

MD5
1c62971fb6a107488ab956b7fa44de74

SHA1
800a7560fafd0eb6277307513266e9cec10a2dd0

SHA256
7f3f14eab8ffcd3f6b0dffde00360b5a99862e56d05588b794a0f4b2c8737159

SHA512
6e98ba70daba32ce6fc96bd721f704bee928c7c1c3f1b470e9aeac71b07adb42dda54e7efa86d601061c71ccfe093d400ea6fda9d74a16ac107adf2844a57c23

Download Submit
C:\Users\Admin\AppData\Local\TempTYKIM.bat

Filesize
163B

MD5
ef318d36c60c50998d4ee3612bb2c364

SHA1
6d4260c806898d4833c0fdbf33cb6261633477a3

SHA256
d17d6d8fc2dfe6e06c477d461b937c0ed710312c8fad215f656b48ab5979cb97

SHA512
c319cb274db910d20ec4b0f5c540d4cc4f29ef05283f406cf10ca068f08164115031b296ee8b31e316dcce6abf248041cef406b14692277f9901cfda5bf841a4

Download Submit
C:\Users\Admin\AppData\Local\TempUASWR.bat

Filesize
163B

MD5
61101519a3da1228d0e0498cf23f87f5

SHA1
23984750bbaf6fceb0c0fbeb529e99639b05e8be

SHA256
9c159a7dda38e907392f7f5f8eca5e53c87da914822ec84ede5bea5c8c8d37ac

SHA512
26ba91b2024c784543aa8b1d4ee53960426804d7e818bc01b7ee35966601d6d5cf9a520ab631fe0f86285f4ad5cfcf7796a81db944e4f89b6842e4da25103a71

Download Submit
C:\Users\Admin\AppData\Local\TempUASWR.bat

Filesize
163B

MD5
a3e636817c81440b8ec8f4a3fa40fe14

SHA1
7ce060d703b153db843dc9c98bd4d751fbe06292

SHA256
e9336459ff6c1d72c98003c12815003c4405a650da6ce3d5aac4ec3b2906c12e

SHA512
90256f066693580819968efbaa7c70955b49df02bede8faa27c6b9ac8de6231ed31d16f7456e69779e64dd4c52d2d4f0952db5132b2b335a6518e6cf57a97a4d

Download Submit
C:\Users\Admin\AppData\Local\TempUFEIV.bat

Filesize
163B

MD5
80fcdb7f0d083ecadec5420f5524c4df

SHA1
04f86b3afa07b6fbe7e2591bdb3799cc2e78750b

SHA256
743bbb4430056d2e432396ef2bdf38480b70afcd1ecbb099e087614bf01377fa

SHA512
7bb9b15afb6a60fe1a635d4eaa43e4dfbadf5580c2f4cc41f38cfed8b1c850a5a0391b647eefc3c4cb6b0936fc79f279e799d04df5b99c1acd32c97dbf80da04

Download Submit
C:\Users\Admin\AppData\Local\TempVGHFN.bat

Filesize
163B

MD5
649768245ee376ffc501a33bebe3ff51

SHA1
d27f6c33ff1c4afc71dcf3eb412dccf631a44782

SHA256
9ba2fd48a5053939f3a6ef807b75510608cd60c4fea4eb8880b16af43695b8d3

SHA512
8351c21ac564aa3a93cbdf4bb0f8277d10db872bd9cacd8c5257475f89133383431b9687642f743cb91966d98bb6cde1978b2a33536dd5799bc063654d389adf

Download Submit
C:\Users\Admin\AppData\Local\TempVRRGP.bat

Filesize
163B

MD5
177ef685f101b4514d38da08c26b4916

SHA1
a8de1a4932d0a294866dfe6df603332810798f01

SHA256
68d249174563164568155732d8d4b0f6a204dabdcba1dd9cc0200bd546553a52

SHA512
ccf51f66d9de532f2d73d7618484c1305001aa7739d1ee7330d9dad7dc08e8f1a2ccc50fa02e594681d534f453992d455e41f5df76274c4728cebc5f11cbe384

Download Submit
C:\Users\Admin\AppData\Local\TempWIOTF.bat

Filesize
163B

MD5
652f407aec6e62db91f8dceaeb49bb33

SHA1
0eeded2abdfe0fb8c0eeab654b062b4bf3030bfe

SHA256
9a073162fd314d1076ec3bd0432a678aa65b00df5414ade34a9f5fb716951e5e

SHA512
7ccb3fc2c29cc1257bb2eb0d163e07204c476d0c26a2208a38bef33ad45781d50738b8c356d29f478bc467efd4d767cc406ea26035dc010e6672de293d228960

Download Submit
C:\Users\Admin\AppData\Local\TempXGGPL.bat

Filesize
163B

MD5
2d88b6f973244a550fc52969ff4731d0

SHA1
c2ee94c917051b866b4e86c4a9172cb5bd55fcbc

SHA256
725fb8315a8dcc5fc12d0de6a3a0e307b80ad030920bb41897555c0948b4372b

SHA512
7c09587a68a3813cf9554294c66cd27828ff4852dc1fc2d66aa792da3f78716b4e626b749ce0264a0148093c1400b6a1f8120777d76f1408f295854d6e8fb693

Download Submit
C:\Users\Admin\AppData\Local\TempXMIQI.bat

Filesize
163B

MD5
23b334148f422c981734c5e6931abd32

SHA1
73309ce790362c60b09e6846bfedc5fa0fb97007

SHA256
eed120a8c0e01c0cc8dc5b653e163e164398ad91e1ceac1413ee081c23539d1f

SHA512
6086a33d99e2b73b1d03e52641651f6cfb4910e40d3b50e31dc3e4acd123ea5dd85f6e6cfdcac965adf08dbb32cc7af70e8fcfeb1f346b4a664de3cb71f23619

Download Submit
C:\Users\Admin\AppData\Local\TempXWSST.bat

Filesize
163B

MD5
9345f08689fe9ac123c094bb65366e77

SHA1
470d5369ba4dabee336ffd97339d7dcb6396621b

SHA256
0a26021dfbb14124ea33771520cbc86fe44997638dea0ab0f44d423e3d36bfea

SHA512
55c30f1fd537ad7d87d282faeba49bbf76700f3d1a497f3c0bb7e90cf900099945804c860235db2462b10de94c90d75dc6d44aac4665066d855179191d02419f

Download Submit
C:\Users\Admin\AppData\Local\TempYGPGD.bat

Filesize
163B

MD5
1f8f579ab62cfe581c4c6de860067269

SHA1
6f7cebb86c094487b897e28f8bdc260ff16775b6

SHA256
206b0a8b5576f2f0dff9c0c148dedaec8c2e8b12e29a91b89e3af94010328d84

SHA512
c3fdc977c60ffa648d4e3e9d79773512721dad09ca6502c700cd4bf0f8f8fd08f6f559221b108263af8163df501cf439d73cb2c4d64937501551171dcc3c01f0

Download Submit
C:\Users\Admin\AppData\Local\TempYXTTU.bat

Filesize
163B

MD5
b02893b7e1264e03427657ad7e8d60cc

SHA1
67a83d11cabb1a5b009643c45f8dd03f84b36b69

SHA256
b23e099f605d205a37e7d6817808f1fe52c00187c831f87488f66936efab9ac0

SHA512
17ee8dedf20937b83758dc7dff8fcb0d03468d724923870c49be71c25e5382e9521fd35b744d0481ea3920e1af36f851f60b46ce3b15f39a51adfa963152b187

Download Submit
\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYL\service.exe

Filesize
520KB

MD5
dec65c9aad9a24611cb9c2cfebb483da

SHA1
cccfa5db5127605d3fb697ff45ee3085a6e35e10

SHA256
c811785ec916d1a99b04c82a9d84cf0ad23a07c55673455a4d9f0a207739d771

SHA512
cd05e4265b375dab5f36080d90c8624c553e1e2e46e68d6dc78deea6e2092ea50d88408ef0a948dd709fc53e4563a290ea1b36d3996a959cd9bf24c983a03ded

Download Submit
\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe

Filesize
520KB

MD5
92aee1b50e78def0612095f0faa59492

SHA1
f23dd4488d64fcd46abc4b708f7d90baea055ce5

SHA256
44407e204f58daad73cf8894750035a085e91163e6873f579b92a52ad5eb099f

SHA512
b584580c45aaa036e4dba5c57aaf828559fa05fa4527ddbbaa6ebc61017bba15415c732ae8a0c7de5c35d1db2c338e548c8439c987767e60edd19bb646e75f00

Download Submit
\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe

Filesize
520KB

MD5
ed3e1b579746d4046cbd6a4cda4506a8

SHA1
077d30f5d8870b84e0856bfba48f12d10f0fda5e

SHA256
30378eca94a46f32c9a81907fe1a448bcb58d9a25729f1f2350ceb401e09152e

SHA512
5300f14aed837bb4817fca5968a35ad64350706f59a71b26c63d0f06a54cffbe8f9101393374c52dfbde95649e1663da922889456a1ef848a8f1568c576019b4

Download Submit
\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe

Filesize
520KB

MD5
be6675220d2463bab5e6113cb9675360

SHA1
834ba1d38f0c5942cf559f2a0134247c8b660f0b

SHA256
361d2cbfeb6a72f96de13379215650f7c4ef2d90b9f9199d955d924a276784e4

SHA512
0d0b623c2bdd592940c780f3599c635c04bb94aed81c88a7228db993832662454df76e76b71d300211aaba556c6867932dfbc0f7cfa90c81b021aff8b33e25d1

Download Submit
\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe

Filesize
520KB

MD5
aee31a9d17205c606ad1b79edef34973

SHA1
48443e9eb42496f4e8220adc5f5b153e7bf15825

SHA256
a08f3eb5a5fcc973af9434eb39b588c76c36f5c343bcaa9c49e6890981a28446

SHA512
c46d8c5c8da4d4274c505ec01b19897e62f39a6cb315d1838c6202c3ec09f2932b3c3c96f9a8a039e1c660ed747d21362875d05a17c51823c3ebbb02a10b744e

Download Submit
\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe

Filesize
520KB

MD5
dc7f130b15e013906bf59727d068c563

SHA1
2ff3ff7b7873dc1f585fb063381175f9328bed7f

SHA256
db14e872ed7f1c61e3057c3b69e3b5c3d9046d5c5ff83e2d01fcaa74cd003417

SHA512
24c918a4ae6d8925a639365818e03c7854fb2026cfba6165880ea2bd0db6a99901cec9722a14003c1b505b8d873adb44b2a4dfba5d62d9b48cf3ee29750bf7b0

Download Submit
\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe

Filesize
520KB

MD5
fbd0da60992c474fa8f710a05abbc7a0

SHA1
bbea64e98b9e17e464c4676b0b39906fb251b82a

SHA256
bbd22cd39bf24e54e4dcbf1dbe64519878d37df8868d7d435028132e9ec0e391

SHA512
b505805af2556922147fa98af06e63bfee318d33b91f9d3575a9fc20d9aa5e1eda901a73b74dde81f497f058bc05c6b71718f1409469b764b0423a45e3354faa

Download Submit
\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe

Filesize
520KB

MD5
b34cf32225094536ef476673e881407e

SHA1
d2a952eed56b4e72f94f42f4672380642ff38ceb

SHA256
c8e66148b36714797ea1edc36f893eca02fa802082c6a6f3684422339d935423

SHA512
ee95f25a788fa6478298a40d5084c2bf16f0005dd3a01d33a9020561d1c08ea0653b27e4b8d975df11d0b1075543e443a4c1fc23434f7ec2dcc3df134b609c98

Download Submit
\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe

Filesize
520KB

MD5
a176592e1a6f756ac11c28ccdf952b5a

SHA1
968d6e6f2103543520c14e0c5c01e5b01a235e2f

SHA256
19af71d5a1ac35668f97c003e80a74d8ebc45138ecc1ecf13094002b4912481a

SHA512
fbc608566c773d85bab6ecade373b1160d8ee0eb10eeb2b99b73fdc17f4d4f8a87d11776f2395e39dc640e4fb7fdd2bb93df64f6b63f897fd387886af7e92213

Download Submit
\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe

Filesize
520KB

MD5
e3badd68e786495bae742015fd1ce9bd

SHA1
48d54b0a1f1162dda4337d3ff27151ef0120fb3b

SHA256
2a09baa2c29ab6063b90a63db7c27b878288edce8df6d8c6b8a84d29de50be15

SHA512
b9213db8938b0afca8187380c2e6b81e214dfdf4c420064df585226ef2ed4e734cb694d1ec40cc14f886ba923835c58b41e5a19fa12ce04a66b4b1156f8e706e

Download Submit
\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe

Filesize
520KB

MD5
87948ac7ae836725479f8eb5719f2962

SHA1
723c4343c61bfe097b61292be3923d7349cce6d3

SHA256
aa88fda8f91696e516a8045f35c13c25439d09ea40821cef55266236185b471d

SHA512
8454575e22b8dee37ce737cbcf41d34833361079617730e6eb58ad793477d98bfdd8c1e3f849b1dd1d05c65c54bcdb58d966e5e5361d939892a31ede0165d41a

Download Submit
\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe

Filesize
520KB

MD5
7aa810a0e0ad9d1e336bfc86de25f3e3

SHA1
1eb54bb999d47408ba44ea70b489fca65d9eddc9

SHA256
ba450fe2cc0866aa22e86a8f7b80653ad3c849ad2915fb343675811d0c98d143

SHA512
df54c5fb787d91bf8c88c6648329bb0de01c48baec6730a5b01bc106f58bd16d78e7651411f7041d9bbfa5a117eabab2e52a35a2cee7166445e0779fcd4f8b42

Download Submit
\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe

Filesize
520KB

MD5
e0b003352a3e977596d046cbd42f374b

SHA1
941a845bdaae058ac9d864106c6e1d5f0407646a

SHA256
fc4ba345eb916428693b9a37065788051ac8f386cfb61eb695682212b627de9d

SHA512
db63a293eb06e170dcb5a1f6f328a1a55cc1f71d43855dbde3b6dcad502be5c3d3f69c34698bddaab66c6733e154436b8cd3e4e671d4f686ee0b9c92839bed4d

Download Submit
memory/2700-1482-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2700-1487-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2700-1490-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2700-1491-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2700-1492-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2700-1494-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads