Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/02/2025, 22:09

General

  • Target

    3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe

  • Size

    520KB

  • MD5

    2168141fcf982917e05f4981a174947b

  • SHA1

    212a5c866bbafabbf56df672313a81b6a722337b

  • SHA256

    3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e

  • SHA512

    6e7c1a8e13699214732b2079b3e13a3ce53d4818713fb0bccae6467d22287d78dfd80afe4c061e325523148228a806cec4ed5aa13c312843f835bbedb0ab7656

  • SSDEEP

    12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXb:zW6ncoyqOp6IsTl/mXb

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 8 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Executes dropped EXE 47 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 46 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 50 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe
    "C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempYWFFY.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVWUCDOVLJNIQEF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2220
    • C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
      "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\TempWXUDP.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:264
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NAMUMBVRMAWHWCG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:880
      • C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe
        "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1832
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\TempTOWKL.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:400
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGCACXSFNHMJURP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe" /f
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:836
        • C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe
          "C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1548
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\TempWNLPK.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1648
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CXTOBXIYDIXYVFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe" /f
              6⤵
              • Adds Run key to start application
              PID:2820
          • C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe
            "C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1076
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1768
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBTKHCRLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe" /f
                7⤵
                • Adds Run key to start application
                PID:2324
            • C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe
              "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2428
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\TempTFLQC.bat" "
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1048
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLCUMIDTMNWMNK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe" /f
                  8⤵
                  • Adds Run key to start application
                  • System Location Discovery: System Language Discovery
                  PID:948
              • C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe
                "C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:3020
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ""C:\Users\Admin\AppData\Local\TempTFMQC.bat" "
                  8⤵
                    PID:840
                    • C:\Windows\SysWOW64\reg.exe
                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDUMIDTMNWNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe" /f
                      9⤵
                      • Adds Run key to start application
                      • System Location Discovery: System Language Discovery
                      PID:1776
                  • C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe
                    "C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe"
                    8⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:1960
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c ""C:\Users\Admin\AppData\Local\TempFOKYX.bat" "
                      9⤵
                        PID:2548
                        • C:\Windows\SysWOW64\reg.exe
                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SQUIMHFWUKKMHAD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDULJAU\service.exe" /f
                          10⤵
                          • Adds Run key to start application
                          • System Location Discovery: System Language Discovery
                          PID:2524
                      • C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDULJAU\service.exe
                        "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDULJAU\service.exe"
                        9⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious use of SetWindowsHookEx
                        PID:2504
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c ""C:\Users\Admin\AppData\Local\TempEYNJR.bat" "
                          10⤵
                            PID:2520
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCCNUKIMHPDFXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe" /f
                              11⤵
                              • Adds Run key to start application
                              PID:1572
                          • C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe
                            "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe"
                            10⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious use of SetWindowsHookEx
                            PID:2716
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
                              11⤵
                              • System Location Discovery: System Language Discovery
                              PID:2584
                              • C:\Windows\SysWOW64\reg.exe
                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe" /f
                                12⤵
                                • Adds Run key to start application
                                PID:2600
                            • C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe
                              "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe"
                              11⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of SetWindowsHookEx
                              PID:2172
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
                                12⤵
                                • System Location Discovery: System Language Discovery
                                PID:1308
                                • C:\Windows\SysWOW64\reg.exe
                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLNIGIYMTCOSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe" /f
                                  13⤵
                                  • Adds Run key to start application
                                  PID:1584
                              • C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe
                                "C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe"
                                12⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Suspicious use of SetWindowsHookEx
                                PID:1920
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c ""C:\Users\Admin\AppData\Local\TempPUPWL.bat" "
                                  13⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2652
                                  • C:\Windows\SysWOW64\reg.exe
                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHCADYTGNINJVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe" /f
                                    14⤵
                                    • Adds Run key to start application
                                    PID:2768
                                • C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe
                                  "C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe"
                                  13⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of SetWindowsHookEx
                                  PID:2412
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c ""C:\Users\Admin\AppData\Local\TempOXTSH.bat" "
                                    14⤵
                                      PID:1604
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMAMYUASWRNPBHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe" /f
                                        15⤵
                                        • Adds Run key to start application
                                        PID:1624
                                    • C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe
                                      "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe"
                                      14⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2200
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c ""C:\Users\Admin\AppData\Local\TempWTRVQ.bat" "
                                        15⤵
                                          PID:2484
                                          • C:\Windows\SysWOW64\reg.exe
                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BFUUHIECEUIPJOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe" /f
                                            16⤵
                                            • Adds Run key to start application
                                            • System Location Discovery: System Language Discovery
                                            PID:2432
                                        • C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe
                                          "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe"
                                          15⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Suspicious use of SetWindowsHookEx
                                          PID:1464
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /c ""C:\Users\Admin\AppData\Local\TempWMNKT.bat" "
                                            16⤵
                                              PID:2980
                                              • C:\Windows\SysWOW64\reg.exe
                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVDRQCLCULIDSMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe" /f
                                                17⤵
                                                • Adds Run key to start application
                                                PID:1668
                                            • C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe
                                              "C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe"
                                              16⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of SetWindowsHookEx
                                              PID:1688
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c ""C:\Users\Admin\AppData\Local\TempVHFJX.bat" "
                                                17⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:1504
                                                • C:\Windows\SysWOW64\reg.exe
                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGSTOMPESAIAUJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe" /f
                                                  18⤵
                                                  • Adds Run key to start application
                                                  PID:1720
                                              • C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe
                                                "C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe"
                                                17⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Suspicious use of SetWindowsHookEx
                                                PID:868
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd /c ""C:\Users\Admin\AppData\Local\TempVEQUF.bat" "
                                                  18⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2548
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IJGOAHLCNPKILAO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe" /f
                                                    19⤵
                                                    • Adds Run key to start application
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2404
                                                • C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe"
                                                  18⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:2528
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    cmd /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "
                                                    19⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2988
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NJHJNUDOTEQBAYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe" /f
                                                      20⤵
                                                      • Adds Run key to start application
                                                      PID:2620
                                                  • C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe"
                                                    19⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:2220
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
                                                      20⤵
                                                        PID:2708
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJEDFVIQKPMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMQWCDAJB\service.exe" /f
                                                          21⤵
                                                          • Adds Run key to start application
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2140
                                                      • C:\Users\Admin\AppData\Local\Temp\BKYTCWYMQWCDAJB\service.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMQWCDAJB\service.exe"
                                                        20⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:2916
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          cmd /c ""C:\Users\Admin\AppData\Local\TempXUASW.bat" "
                                                          21⤵
                                                            PID:2964
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVVIKFDFVJQKPAM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe" /f
                                                              22⤵
                                                              • Adds Run key to start application
                                                              PID:1780
                                                          • C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe"
                                                            21⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:2256
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              cmd /c ""C:\Users\Admin\AppData\Local\TempSDWWL.bat" "
                                                              22⤵
                                                                PID:2824
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe" /f
                                                                  23⤵
                                                                  • Adds Run key to start application
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:2652
                                                              • C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe"
                                                                22⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • System Location Discovery: System Language Discovery
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:1716
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
                                                                  23⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:1752
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLMIGIYMTCNSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe" /f
                                                                    24⤵
                                                                    • Adds Run key to start application
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:1188
                                                                • C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe"
                                                                  23⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:296
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    cmd /c ""C:\Users\Admin\AppData\Local\TempFDRRL.bat" "
                                                                    24⤵
                                                                      PID:2956
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GUQOTFSVQJMNWSA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe" /f
                                                                        25⤵
                                                                        • Adds Run key to start application
                                                                        PID:2444
                                                                    • C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe"
                                                                      24⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:2060
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        cmd /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "
                                                                        25⤵
                                                                          PID:448
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSUPNPFTBJAV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe" /f
                                                                            26⤵
                                                                            • Adds Run key to start application
                                                                            PID:3024
                                                                        • C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe"
                                                                          25⤵
                                                                          • Executes dropped EXE
                                                                          • Loads dropped DLL
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:1356
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            cmd /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
                                                                            26⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1360
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLGPYWHDOHIYRUW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe" /f
                                                                              27⤵
                                                                              • Adds Run key to start application
                                                                              PID:1632
                                                                          • C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe"
                                                                            26⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:2424
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd /c ""C:\Users\Admin\AppData\Local\TempMPQVC.bat" "
                                                                              27⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1516
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAKXTRBWICWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe" /f
                                                                                28⤵
                                                                                • Adds Run key to start application
                                                                                PID:1440
                                                                            • C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe"
                                                                              27⤵
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2668
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                cmd /c ""C:\Users\Admin\AppData\Local\TempMVREC.bat" "
                                                                                28⤵
                                                                                  PID:2496
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPFTPNSESUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe" /f
                                                                                    29⤵
                                                                                    • Adds Run key to start application
                                                                                    PID:2740
                                                                                • C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe"
                                                                                  28⤵
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:2724
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    cmd /c ""C:\Users\Admin\AppData\Local\TempPUGEI.bat" "
                                                                                    29⤵
                                                                                      PID:2600
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYQMHXQBRBQROXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe" /f
                                                                                        30⤵
                                                                                        • Adds Run key to start application
                                                                                        PID:2176
                                                                                    • C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe"
                                                                                      29⤵
                                                                                      • Executes dropped EXE
                                                                                      • Loads dropped DLL
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:1924
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        cmd /c ""C:\Users\Admin\AppData\Local\TempKOOIB.bat" "
                                                                                        30⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:2644
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IJCJJSNWNCLXUTX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe" /f
                                                                                          31⤵
                                                                                          • Adds Run key to start application
                                                                                          PID:1780
                                                                                      • C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe"
                                                                                        30⤵
                                                                                        • Executes dropped EXE
                                                                                        • Loads dropped DLL
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:2232
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          cmd /c ""C:\Users\Admin\AppData\Local\TempPYATT.bat" "
                                                                                          31⤵
                                                                                            PID:1896
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QMANYVBTXSOPCHP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe" /f
                                                                                              32⤵
                                                                                              • Adds Run key to start application
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:1832
                                                                                          • C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe"
                                                                                            31⤵
                                                                                            • Executes dropped EXE
                                                                                            • Loads dropped DLL
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:2672
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              cmd /c ""C:\Users\Admin\AppData\Local\TempLGKYH.bat" "
                                                                                              32⤵
                                                                                                PID:2792
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMREBQYQDFAAVQE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe" /f
                                                                                                  33⤵
                                                                                                  • Adds Run key to start application
                                                                                                  PID:1624
                                                                                              • C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe"
                                                                                                32⤵
                                                                                                • Executes dropped EXE
                                                                                                • Loads dropped DLL
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:1604
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  cmd /c ""C:\Users\Admin\AppData\Local\TempIRDJO.bat" "
                                                                                                  33⤵
                                                                                                    PID:2324
                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PBJASKGBRKLUXKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe" /f
                                                                                                      34⤵
                                                                                                      • Adds Run key to start application
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:2772
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe"
                                                                                                    33⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                    PID:2456
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      cmd /c ""C:\Users\Admin\AppData\Local\TempHIRMV.bat" "
                                                                                                      34⤵
                                                                                                        PID:2200
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFGRXOMQLSHIA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe" /f
                                                                                                          35⤵
                                                                                                          • Adds Run key to start application
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:1480
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe"
                                                                                                        34⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                        PID:1508
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          cmd /c ""C:\Users\Admin\AppData\Local\TempACESA.bat" "
                                                                                                          35⤵
                                                                                                            PID:1912
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVAWKXIHLYCMSKA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe" /f
                                                                                                              36⤵
                                                                                                              • Adds Run key to start application
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:772
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe"
                                                                                                            35⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:988
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              cmd /c ""C:\Users\Admin\AppData\Local\TempVLXIH.bat" "
                                                                                                              36⤵
                                                                                                                PID:1284
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGUBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe" /f
                                                                                                                  37⤵
                                                                                                                  • Adds Run key to start application
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:2372
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe"
                                                                                                                36⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                PID:2000
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  cmd /c ""C:\Users\Admin\AppData\Local\TempXSSHQ.bat" "
                                                                                                                  37⤵
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:2844
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLMXUASWRNOBHOO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNMUIIJEDJFVIQK\service.exe" /f
                                                                                                                    38⤵
                                                                                                                    • Adds Run key to start application
                                                                                                                    PID:1536
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\VNMUIIJEDJFVIQK\service.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\VNMUIIJEDJFVIQK\service.exe"
                                                                                                                  37⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                  PID:2496
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    cmd /c ""C:\Users\Admin\AppData\Local\TempUVHIF.bat" "
                                                                                                                    38⤵
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:1220
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QMLYFPYWGDNHIYR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe" /f
                                                                                                                      39⤵
                                                                                                                      • Adds Run key to start application
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:2592
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe"
                                                                                                                    38⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                    PID:2920
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
                                                                                                                      39⤵
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:2612
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETURAB\service.exe" /f
                                                                                                                        40⤵
                                                                                                                        • Adds Run key to start application
                                                                                                                        PID:2052
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETURAB\service.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETURAB\service.exe"
                                                                                                                      39⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                      PID:3064
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        cmd /c ""C:\Users\Admin\AppData\Local\TempDXBMK.bat" "
                                                                                                                        40⤵
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:1424
                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCJVWRPSIVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOFXPLGAAPQNWIO\service.exe" /f
                                                                                                                          41⤵
                                                                                                                          • Adds Run key to start application
                                                                                                                          PID:2204
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\FOFXPLGAAPQNWIO\service.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\FOFXPLGAAPQNWIO\service.exe"
                                                                                                                        40⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                        PID:2340
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          cmd /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
                                                                                                                          41⤵
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:2420
                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSETDSTRALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe" /f
                                                                                                                            42⤵
                                                                                                                            • Adds Run key to start application
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:400
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe"
                                                                                                                          41⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                          PID:2416
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            cmd /c ""C:\Users\Admin\AppData\Local\TempEFOKY.bat" "
                                                                                                                            42⤵
                                                                                                                              PID:2784
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "USRVIMIGWULKMHA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe" /f
                                                                                                                                43⤵
                                                                                                                                • Adds Run key to start application
                                                                                                                                PID:2944
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe"
                                                                                                                              42⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:2684
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                cmd /c ""C:\Users\Admin\AppData\Local\TempJGOAH.bat" "
                                                                                                                                43⤵
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:1604
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNMGPXHDOIISVWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe" /f
                                                                                                                                  44⤵
                                                                                                                                  • Adds Run key to start application
                                                                                                                                  PID:1184
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe"
                                                                                                                                43⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                PID:1496
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  cmd /c ""C:\Users\Admin\AppData\Local\TempCFHQM.bat" "
                                                                                                                                  44⤵
                                                                                                                                    PID:2284
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSXKAOJHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe" /f
                                                                                                                                      45⤵
                                                                                                                                      • Adds Run key to start application
                                                                                                                                      PID:2476
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe"
                                                                                                                                    44⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                    PID:1844
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      cmd /c ""C:\Users\Admin\AppData\Local\TempIIRMV.bat" "
                                                                                                                                      45⤵
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      PID:1508
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFGRXOMQLTHIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe" /f
                                                                                                                                        46⤵
                                                                                                                                        • Adds Run key to start application
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:3020
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe
                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe"
                                                                                                                                      45⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                      PID:2104
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        cmd /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "
                                                                                                                                        46⤵
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:1372
                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHAUXBSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe" /f
                                                                                                                                          47⤵
                                                                                                                                          • Adds Run key to start application
                                                                                                                                          PID:1712
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe"
                                                                                                                                        46⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                        PID:2092
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          cmd /c ""C:\Users\Admin\AppData\Local\TempPPYAT.bat" "
                                                                                                                                          47⤵
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:2000
                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMANYVBTXSOPCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe" /f
                                                                                                                                            48⤵
                                                                                                                                            • Adds Run key to start application
                                                                                                                                            PID:1568
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe
                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe"
                                                                                                                                          47⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:2608
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe
                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe
                                                                                                                                            48⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                            PID:2552
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                              49⤵
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:2584
                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                                50⤵
                                                                                                                                                • Modifies firewall policy service
                                                                                                                                                • Modifies registry key
                                                                                                                                                PID:2492
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                              49⤵
                                                                                                                                                PID:2688
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKFEKGWJRA\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                                  50⤵
                                                                                                                                                  • Modifies firewall policy service
                                                                                                                                                  • Modifies registry key
                                                                                                                                                  PID:2724
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                                49⤵
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:2988
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                                  50⤵
                                                                                                                                                  • Modifies firewall policy service
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  • Modifies registry key
                                                                                                                                                  PID:536
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                                49⤵
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:2176
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                                  50⤵
                                                                                                                                                  • Modifies firewall policy service
                                                                                                                                                  • Modifies registry key
                                                                                                                                                  PID:2052

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\TempACESA.bat

                                                Filesize

                                                163B

                                                MD5

                                                7e5351f62d5874fb314980eab2ff50f1

                                                SHA1

                                                90a78dd0d008ca94767e7a78e4823d8b1b265580

                                                SHA256

                                                07e4e0ec8b8efd732a90b91b2e08ab15463b9f9123dd504907896b516931c9e7

                                                SHA512

                                                043a3f3a338e6bc6936f66a991c7e80694434250d3afa251927286c34185c33baeca31a60f358c8ba112a7051c4382a2cd89d4da40da0749480cc1f44015e937

                                              • C:\Users\Admin\AppData\Local\TempCFHQM.bat

                                                Filesize

                                                163B

                                                MD5

                                                fb1de3a686fc82769c21e956f8bfe308

                                                SHA1

                                                dd9540427d08c3d0f3320ae1d5c27b4e5da57797

                                                SHA256

                                                b40600d10f1253acdc01df0a6905790b804b30e3d5fa0de4c74ed3feebf5056b

                                                SHA512

                                                093f6930977bfad5bf575d1b11965532099c51a05070c221f6f77714de110998c6e0fd2d141980cf99ab9f1b4fd7083be9053c2410ab9578325866952a2d3633

                                              • C:\Users\Admin\AppData\Local\TempDXBMK.bat

                                                Filesize

                                                163B

                                                MD5

                                                a62976807346f4a4533efeca428c3457

                                                SHA1

                                                eb78cb1e8f980430c16738f94042a5a51ee42379

                                                SHA256

                                                4ab4e8f358b30dd1ad14723f6860475fcf6ab919182383ee82980da5cdd8b312

                                                SHA512

                                                1c2a32728b3762e46699f952da7af17a8fc89aec6c4dd2c47b28d3eeb449cc99953471b5280c96f9f186064e00d04fb3acce24c5f6381821143101880b82a5e9

                                              • C:\Users\Admin\AppData\Local\TempEFOKY.bat

                                                Filesize

                                                163B

                                                MD5

                                                e44f02118374a90a8ba3e09267e179da

                                                SHA1

                                                459e8278d40b05608ddc09bb43e943b22f19ed87

                                                SHA256

                                                3d003b99acacd83a0ce802a00e4cc2273c2dae708fef6ebf5830b5011214c2c2

                                                SHA512

                                                4796bf245db68637c195ff2bb91130e5111b6f148c202aab805bdcf421e31435c5226b05dca0e6d7071dc39004f211a66209ab73e5b99f92ac2adb2f3bc4e0f2

                                              • C:\Users\Admin\AppData\Local\TempEYNJR.bat

                                                Filesize

                                                163B

                                                MD5

                                                972376092d791b26e2a41ffd21320b77

                                                SHA1

                                                1d99bcb6c213bbbe2e56c0d06492684e4fd29649

                                                SHA256

                                                91be7443965b5a6b366f84fe8c342546b3190f759058d36d2fd883032be22777

                                                SHA512

                                                b16f823abc71391fc59500066cb803a0bceef792f0fd3c8ff142a1ee585716aee05c3042e822fa4af2da4b217a18cdc7489e51f4c2e9d2b6e396642bf1a6c735

                                              • C:\Users\Admin\AppData\Local\TempFDRRL.bat

                                                Filesize

                                                163B

                                                MD5

                                                9cd473dec896f18dc2e6b09613bf92b3

                                                SHA1

                                                3cd9db79952b96ef7a96137cfc419eacd30b50e5

                                                SHA256

                                                60360554fa808f51ba37885b76a89e62986379022fe4394adca9f5dc77e8456c

                                                SHA512

                                                d2245fa65d2231bc50ed2da2a1b60e1f56f78dd716deb41ce855bb2f583424cd2dba0c92a1569281d12fe52fb42df08cb32f1ef9852c1e7e028a982bd130e6bf

                                              • C:\Users\Admin\AppData\Local\TempFOKYX.bat

                                                Filesize

                                                163B

                                                MD5

                                                154e9dcc62f97dd01e79b5bf2789a436

                                                SHA1

                                                a10ff9c9fc5a8405250576ccfdb87b943ccd3832

                                                SHA256

                                                a0911a6494d02ac8e7f012c1352591077f57a12bfa30079cb28da765b907ed40

                                                SHA512

                                                f618a21ac20a2d240deeec6fc5c4f639e791e2c414d5f67afc6b7ba22b5387145b47930f141629d85bd9c4dad37e204e923644fc6a48598b3b1a922f19a37462

                                              • C:\Users\Admin\AppData\Local\TempHIFOA.bat

                                                Filesize

                                                163B

                                                MD5

                                                b1e246ba770058be2c311a757b3bd63d

                                                SHA1

                                                d911296ad714a3357ab09687fdb3c6d679249a99

                                                SHA256

                                                b27120533de4153beb1365a5154c28f013238763589f04015ad068646441b8b8

                                                SHA512

                                                208126c01f598ab8c7acfd9950813d7fba88d612ede86c4fe042b702dd507520c9d3f561aebd837f5a725c6f0da0dc313b25f066116401983f8256f656de1f29

                                              • C:\Users\Admin\AppData\Local\TempHIRMV.bat

                                                Filesize

                                                163B

                                                MD5

                                                8537ec64ab9c824ea1b462610fbd206a

                                                SHA1

                                                ad65ebd0e4cefe33fe48c62e9b89479a0c298f52

                                                SHA256

                                                66605e0d67a3c79ef3eaa349748ee9941aef99836743aa0967ac48a5cc3d76fc

                                                SHA512

                                                a57dcf092df0d45ab464156efede8641d338c56e5179169086585d03bdc1d01fc7610d849203947958e913feff07a58e22491a20114415604d26e245910b81dd

                                              • C:\Users\Admin\AppData\Local\TempIIRMV.bat

                                                Filesize

                                                163B

                                                MD5

                                                c29b65e2d961463ea3a891d4853c8097

                                                SHA1

                                                084ea68f1e7dfc34469a56f244daed956777d943

                                                SHA256

                                                f22fd4efc0bd3b02c6465be47f31ea9eb84691a0c71f87307045d0bac798177e

                                                SHA512

                                                d3d04f5f4fbb5e9d052777beb71aebd6a36a73510e0f53137c6dd91122dc0b3055ccb7bd9085b86c8c9058cf1e658c5cadc431fd46479c1aeb2cb366cb924a70

                                              • C:\Users\Admin\AppData\Local\TempIRDJO.bat

                                                Filesize

                                                163B

                                                MD5

                                                2f862968031e33678a88f2721ca60fe4

                                                SHA1

                                                eb9b36d5d7dbf37df95e68eb7f96a9851d677ca4

                                                SHA256

                                                e2782e5da22d51f2f8113104c8eb4eb46ceaf5b8f1174db2a0e208411d40c71e

                                                SHA512

                                                6d4273685b4801dc79d6b9f83a3cff53214f469fc7272a1c49a49ba6cc518e1aef20b31ee28c93c37be6d6356b04a0c8d32266ee34e565345b9a25ac75486f99

                                              • C:\Users\Admin\AppData\Local\TempJGOAH.bat

                                                Filesize

                                                163B

                                                MD5

                                                96bc0e1bfaa763570465471b7f97742c

                                                SHA1

                                                855303f3ef0afa1eef86c0cc36001df6124c2f5e

                                                SHA256

                                                02ed2e54daeb3ad36f54d82f6352cfd1659a036bea2ed2cdd7cef2276ef120ef

                                                SHA512

                                                7d5623c776961c63e02eeca936bffb280509ec7a7633127222017c77d9f4d8128498a0a9d0dade965efe7885783cef2426c6255de7dc8274f23aff5a2e01e6e5

                                              • C:\Users\Admin\AppData\Local\TempKOOIB.bat

                                                Filesize

                                                163B

                                                MD5

                                                b1e59753dca32ffc9ef653b7c62d4f3d

                                                SHA1

                                                cd2545e6eac413cb2a9127cfbcf0fa0a6f2dcff5

                                                SHA256

                                                6ee140e867ba7f471ffd68d182770d40a266175d506c65ee0c32d5771c812a7e

                                                SHA512

                                                1fab0adb5c83a12155da37cc7d7a079686071b11001e50c0395ab59e2f2ce3f7eadc8e81a2cc6c7f4e60fb3e37ac5b268292c9c26b4f48bb92bd64864ee7d215

                                              • C:\Users\Admin\AppData\Local\TempKWHGK.bat

                                                Filesize

                                                163B

                                                MD5

                                                5afdc54e0196cc5ab4ea6bccfc4f6092

                                                SHA1

                                                8377d18b05d5424aa9ab36ab527fb133d9e6b581

                                                SHA256

                                                5d43c8fbdd4e5f11bcca6a5ed4fc910b9bbbb671294783503e98928423b9cc19

                                                SHA512

                                                fcb0d4ba0ebfdbe270a8950cd347afc1c05eca3cc11ee4bbff2b97298ad00e2e5d01bc3296c5009fd01c78d8a6cf0ac388327d258ef7a9a1d169baca70bdc17a

                                              • C:\Users\Admin\AppData\Local\TempLGKYH.bat

                                                Filesize

                                                163B

                                                MD5

                                                bbc0e56f03df17848002210d87ee459a

                                                SHA1

                                                71d61c0bf1251597a87b76793442617cbf104a29

                                                SHA256

                                                1857829d287d4a654a0e5f179622e1746ed11aeebb4322577f7a072d854dc6c5

                                                SHA512

                                                93aeffb8849776ad996ecedd684d223c4026f6383dd56afac5e8f61a5d558b2b72984d6358b9efc59c62954074a9fcd820d4337b4eef84564e8ee5b95391b7c4

                                              • C:\Users\Admin\AppData\Local\TempMHQHF.bat

                                                Filesize

                                                163B

                                                MD5

                                                aeb4d38b60edc8f0aa4f95ecc32cf195

                                                SHA1

                                                d1c7dc58eb0f534e1a4b64ad17650a3c945292a9

                                                SHA256

                                                8de5f04ed63c66698d8c9ba4f4e830fb284f9320391cde5ef27ff1018edfb281

                                                SHA512

                                                ae56452b6f45ed80a5cc95e1710167675d354113f21cd7113514122cb335fe66a67ffbc262184d78063fad4d2880c7f39963cf805551ca1bc82748d828cc5591

                                              • C:\Users\Admin\AppData\Local\TempMJSEK.bat

                                                Filesize

                                                163B

                                                MD5

                                                28e6280656f4432f6c5cf2f7d1efd4e5

                                                SHA1

                                                e9d7fe148d5eb7b565137843359fb0feef7fe28d

                                                SHA256

                                                df6d7e81b8746e9ef08d113859c81bd6554252f7842c8952e529c272b52aca6e

                                                SHA512

                                                ac26c666b19df427db6fc0c858ab698dd3e2ef50118e43134ebd4785614900b814a508970effcdfd90f850328bf3925c2cfafda37e01cee2dce0e624908e296f

                                              • C:\Users\Admin\AppData\Local\TempMPQVC.bat

                                                Filesize

                                                163B

                                                MD5

                                                2345e2effec3d4b29d9778cfc6ece42f

                                                SHA1

                                                0f4514186a7fdbf545f4c65eaedcc8a5dce1cd59

                                                SHA256

                                                ba8075d4d8b1e5335016724eb060229485880daf90ba8775f4a3f229553b180e

                                                SHA512

                                                ccb745239f1fd6406553b2aaa2ad63128f5c22d8ba3e30e22749e30ebfc6df1e958abfbfb6f731f8d25e28df8de087c9b841515bfc584fbdf4126bb6daf9c73c

                                              • C:\Users\Admin\AppData\Local\TempMVREC.bat

                                                Filesize

                                                163B

                                                MD5

                                                4f8ceded89003e98e8588a51760c5d13

                                                SHA1

                                                27a5030a26d9fccc27e05447348ebc7b1a0f2554

                                                SHA256

                                                eccba1b9b0bacd7735449af3cb11c5718081e627aa5e8c50583003c428003a74

                                                SHA512

                                                ab2b208e8c1aaaa69c2e7279363774787a293a72541ab216c5265c79e7c6aa80258e72e9017505ddc7ab6acdb704bf3cf2173395c5cee122f3a36afb68e84527

                                              • C:\Users\Admin\AppData\Local\TempOPYUB.bat

                                                Filesize

                                                163B

                                                MD5

                                                f5384b44e8e5e967c113012b496349ff

                                                SHA1

                                                81eb9aebe47f4ce35b312f234ca6e33bc81325cc

                                                SHA256

                                                5eaa355f0dc5eb39ebfe20614e41728909ff00ae656998aa368f043c52bbf5e5

                                                SHA512

                                                5f9f8d6696d8f0cdd1eda4cb8285d9c2036a4fe636141b09f330487caa94864832fcb00f53f22f2427b80db49bd7f175538a07f3e93f737d21699c6dd1f9142f

                                              • C:\Users\Admin\AppData\Local\TempOXTSH.bat

                                                Filesize

                                                163B

                                                MD5

                                                ae2b549c35665f808941e1948ff8de5c

                                                SHA1

                                                9577d7ed030e5211f8056d4847ad969127190292

                                                SHA256

                                                4b1401d73fd7543f52dfc1ba51e5966cfd368a4621188bbdb961cfb8d029a5d7

                                                SHA512

                                                5b55d86a36afbdff1bf92da6de42ab609bc8f7aeac2d4a1aa78348af31a24003ff218e85bc8ac9a116799a029016194b241bc04909c6c0d56e09b127615bc3b3

                                              • C:\Users\Admin\AppData\Local\TempPPYAT.bat

                                                Filesize

                                                163B

                                                MD5

                                                cc9c1ada7fdaed2a52818e157e3ca8fd

                                                SHA1

                                                e6ea5f02eff96b7692c6f518f009309955d7f301

                                                SHA256

                                                289234e410e83bacbaa477af94ce1c1432c34558b17c6a5287f5dd07e65f26a8

                                                SHA512

                                                0a697f07b9c0c4157564d2b3bf1b8454c1cd85d0fed9eba5c4f790aeb029664617eb4a0ae80c7894a779b13d1eff84e3b1e91bbb93689cf990fd286a3f5026d1

                                              • C:\Users\Admin\AppData\Local\TempPUGEI.bat

                                                Filesize

                                                163B

                                                MD5

                                                b5f8ec269fc0de7aa996551d56670248

                                                SHA1

                                                5f6260e975556b01ac76c759652236f3bdaeeee7

                                                SHA256

                                                c0071f2d226621e6583ddd77410564cc3f46d4b8000bdaa47825f866559de898

                                                SHA512

                                                d4b337b0b7477992be9f4f968a19c15fdc7aeec744f9a2829fdd2477798208a581da78e702316fe98238a8e7b2c5bbc3a0bb4b7dd8b4dd1d1430da2f4b390d9b

                                              • C:\Users\Admin\AppData\Local\TempPUPWL.bat

                                                Filesize

                                                163B

                                                MD5

                                                96ee9589f991bd9c3dcd56ca158d2b77

                                                SHA1

                                                d2f5d1b16cd3d9e20d97d95d27e2228461452ede

                                                SHA256

                                                73ac7be5d82c6725cb5c08a99f4af57ee5e888a45d4db04ebdc6a60137923571

                                                SHA512

                                                d37955950a9eaf0eef608960dec84def0baea494489226d19651c63d09e6c869007a9d44297c63de5fff6f5ecf02f14447b1f2a811a8b534ad0c5cfa6812f543

                                              • C:\Users\Admin\AppData\Local\TempPYATT.bat

                                                Filesize

                                                163B

                                                MD5

                                                c4b31ba3788e537a88a6a78cd6738657

                                                SHA1

                                                0fd17ce58a90d654f949e9342de7b80dcee7e634

                                                SHA256

                                                1901d20e3c86c24989cf8e9367bd7d7674af390c1da0eecad6c37b9f84d25794

                                                SHA512

                                                290ec31684810e01d4c7aa4e3b9f6217fb7ec8c1fda8fb2b4540e51379a657952865db71bdf913e5d3cfadba703602ca4463e4179738aa1bb15fbdcdc786491f

                                              • C:\Users\Admin\AppData\Local\TempQRWDE.bat

                                                Filesize

                                                163B

                                                MD5

                                                19d5b04cd297fe8e47094f807b3a34c4

                                                SHA1

                                                db8516d521a80970a6586deff2343b8601b9df84

                                                SHA256

                                                7f597777f439222595b2ad9466e89a4b74aac8a717f0b6855c6804b7e3ef199a

                                                SHA512

                                                eb2dedfc4b5588ebd5063e8c3408abcf3315b6f8b805445359642324bdb8787a8ef48ac9c720df01be8171e1aa06c59eb9646dd39e01302b011eedea207f0636

                                              • C:\Users\Admin\AppData\Local\TempSDWWL.bat

                                                Filesize

                                                163B

                                                MD5

                                                f16c1205b7c8cd72877428f0b354cb86

                                                SHA1

                                                84a0cb14be7cb50b297871f4f955eec063c295ef

                                                SHA256

                                                9c38ec8952b4a829487fa54366720be3295c805cc78973c4a89d51dcddeccc5e

                                                SHA512

                                                5ef4b9f9a9df86623d30932f85948a6318bddd7620ea86f91a39fef1e5ba30355b7efee4adebecc157eec77fdce2855b8ffd5332df76915d6cbca45326cd446b

                                              • C:\Users\Admin\AppData\Local\TempTFLQC.bat

                                                Filesize

                                                163B

                                                MD5

                                                2a203fa95c511f4fb3b42526e9c38269

                                                SHA1

                                                08fdb577504ba55a11d89dbda642ec864b792b51

                                                SHA256

                                                ce994fc8d684e32a48593a350bc056e2fbbf2c0e593deda1d1438c90ec5b6301

                                                SHA512

                                                c5653976a7f3a4fb082a74d55391fefed64defef20c1cd347a634b46aedfce988eb04a181dd9e99774fdce526bc43df3e3f8c5d2802ab5eb57b3a1d6a197b486

                                              • C:\Users\Admin\AppData\Local\TempTFMQC.bat

                                                Filesize

                                                163B

                                                MD5

                                                71b36eb1395b3debfee30f3ff386a52c

                                                SHA1

                                                cd27b42e612b2c2b77c04e844d455fc432c74b7d

                                                SHA256

                                                12e9001c55d842d7fe7f784529a524f6607150bc7066ae62472b9b1631271479

                                                SHA512

                                                5404b38ebf43924d3279e862d3874b23fa5f0cbc4ae2cc729e34a32801d4de8740db73ba1a2fc92a3a8b3354a1957d170df55256a637b0a84aac05c858edf32c

                                              • C:\Users\Admin\AppData\Local\TempTOWKL.bat

                                                Filesize

                                                163B

                                                MD5

                                                c2f5bf9d52ef830e763cfbf11d7a644d

                                                SHA1

                                                d3671fab30167b7fda1b9d647d6ca62fe5f7d46b

                                                SHA256

                                                15bf53063b93083bce0042b1d810a1db1caabbd9771c141784b5898bd902d875

                                                SHA512

                                                9bd59059ae0a5f706c92255dd42feee63f4ef12578473c6a8d1b5909020e80732a2c98de44014404365b245bce65c73388e138de21e3c2c98984985909448054

                                              • C:\Users\Admin\AppData\Local\TempUASWR.bat

                                                Filesize

                                                163B

                                                MD5

                                                fe7ce4dceba19a593ba323486a41bae9

                                                SHA1

                                                804f945f50e67824b075d4ddbacd9f2764dd7883

                                                SHA256

                                                8d028d9a4acc968a764cf66934c17e1c54b496019a2b2c74529b50cc969bed2b

                                                SHA512

                                                014398ab9169facd374c3712862167b95c14c3cfc956b91ada0cdc24e69a3970f79aca4273745f7679ef13f28302bff6bfc16a3b063a0aaef20abd1a4e2daef7

                                              • C:\Users\Admin\AppData\Local\TempUVHIF.bat

                                                Filesize

                                                163B

                                                MD5

                                                c612bdf9e59b062a01bc9550b67d4322

                                                SHA1

                                                9b22839c78ba43f6d57e00a0aefba11edab91ceb

                                                SHA256

                                                084ee87bda829113625fd1087d234dd3e538187cc69780f6d0185659f67560b6

                                                SHA512

                                                aca3eb8da86bad82b12cf8a1ab06db5a82cfd4fc185fd329276268af7572b84de29d85648475ec17fe4ff66fd1c7172db78c1541c9e5cc339394927759851c9d

                                              • C:\Users\Admin\AppData\Local\TempVEQUF.bat

                                                Filesize

                                                163B

                                                MD5

                                                182ca5df27c1d81948cf092591269208

                                                SHA1

                                                f6ae65277c210a8a43771182e9c4534fc8732819

                                                SHA256

                                                d143cd8fc26e4ca22531dac2fc4ac1f6428552451fcf59126974ece7f25b47cf

                                                SHA512

                                                7bdc01f3f181c9894d1f39741c9aa3ace0b4bb82de8629cc2f582d53e7a5355b6905c431931c408e6e55af4ff1bc6dce483cbcdd45f66894a73d4257001151a2

                                              • C:\Users\Admin\AppData\Local\TempVHFJX.bat

                                                Filesize

                                                163B

                                                MD5

                                                80b9f7c395221ce1cd9e3dcf971871e1

                                                SHA1

                                                1a42d3cb515990ee39232176824bffec4a3044ec

                                                SHA256

                                                df7b8cc756be30d1ee7223f0e1605611f0635f1cf1c7488fd011face6cabbdf6

                                                SHA512

                                                a7184442ba1137df3aa2c6ca42e941a6970f9d2de321f320439ad74ed5dbc4c9df600ca387884ade2a91768255848bafce288a398f13247c27bce424bee9226f

                                              • C:\Users\Admin\AppData\Local\TempVLXIH.bat

                                                Filesize

                                                163B

                                                MD5

                                                38582d0b8684e515acc8a0b855142358

                                                SHA1

                                                091d9a23d9ea9a7fa0a7583fc3233521f038d3f8

                                                SHA256

                                                86ace41294290c8dd92509de6b1a6245e1ac20c41f4f1d7501be7ee721223776

                                                SHA512

                                                b5b207d182e0c3b8ceb79160238c24e6af6c482485d77c2b2b4bf0130611db60c503c2b1f6bcf4220328862c7ff650a3ac4f508dede00b8e50e3dcd92241a633

                                              • C:\Users\Admin\AppData\Local\TempWIGKF.bat

                                                Filesize

                                                163B

                                                MD5

                                                4f57139833f2bf4d8e96fba71da04256

                                                SHA1

                                                412f72ef752e48c15e1235fa306e9954f868c4b5

                                                SHA256

                                                7a189248f7e6c57e7d5a0fe3a88434801377f62ef56e62d01266a3f2eb04f970

                                                SHA512

                                                1c02ca52fffc8f84b3f95238df55b56dc94edb5b9f4647594ff0c4c059ff7b55f2ac3bbc8e8aad28dfc636ab449f4cce8b4858b1926b4be21cf498cb3a82472d

                                              • C:\Users\Admin\AppData\Local\TempWMNKT.bat

                                                Filesize

                                                163B

                                                MD5

                                                432fc48f0e2114692d6dba76dbc88efe

                                                SHA1

                                                2b0727b5b72084f3a922fa572b0fec2973ee1900

                                                SHA256

                                                94151abe93fddabce2d6371c191717b4e93f8d1bbf2cf1d9ee859d42031f8b8f

                                                SHA512

                                                6f18bf10c6c9b64f92ec8060d53e5419249ded51fe082d115342e93317bfc94e3bb917cf2034f6c0f17be73303515e733ac13c370cce4b2aa2ad3f810c10faaf

                                              • C:\Users\Admin\AppData\Local\TempWNLPK.bat

                                                Filesize

                                                163B

                                                MD5

                                                ff8ddf6bf9e22f19b440a0e65f61325f

                                                SHA1

                                                53331dec6261ef73acac458313d465931ee3550f

                                                SHA256

                                                1160ec43828e119e2e55a60e06399eb0f0306ca90f26d2a460e41cb53c5cccef

                                                SHA512

                                                1ccfc853c063d1badb315031ba3852095e033142a62d79a2bf0ca8bc817e7aeeb23900689c51df694ed340da803eaae03cc56e4effcb3c53919f60c912a5ce31

                                              • C:\Users\Admin\AppData\Local\TempWTRVQ.bat

                                                Filesize

                                                163B

                                                MD5

                                                ce683b4c1ab7f71c924ba4a0f1d71652

                                                SHA1

                                                6c2d142bb7bb7c210634f07737573580c1ebadbe

                                                SHA256

                                                ade22db992bd7ea345189e55e9e50c54ee03585ff892894099195e8179c1957c

                                                SHA512

                                                6fdfaa502c57b80e3ab2ecc9e8fc177cc0cff5be4988d41918a4c0633549ab828aed5ed4e536ad3cfa05f9651d1234fac1433d9f7d996b48f6382e350dd0fa60

                                              • C:\Users\Admin\AppData\Local\TempWVRSS.bat

                                                Filesize

                                                163B

                                                MD5

                                                ecbf0cbab9dad148c5ad57d1ce1f59ed

                                                SHA1

                                                42a9f5253fe3e05faa59878b2382b77ea8341b2f

                                                SHA256

                                                169fef7bf9b907f256d2785a26cc1cae9cfb98f3ef15023d2b8827b93d8f5911

                                                SHA512

                                                5e5e40a1120d77c18885c99c2112aaec6e03305faca1e6cc665346d6fcbea46f56606808d7949edd8dc0ea3e212bad0d349aadeb07afdf9a96440c50e5c8cc58

                                              • C:\Users\Admin\AppData\Local\TempWXUDP.bat

                                                Filesize

                                                163B

                                                MD5

                                                6702fd047e328215508c753f2d073779

                                                SHA1

                                                6141cefbc5a43095cbd5b9ab184e4e3757909cec

                                                SHA256

                                                8d2551817c16db1cd8a8ec949dd652d72bc20fcc2a6629eb1ea61b2aa24f951a

                                                SHA512

                                                0bdf4ec9f5e087d957e4f78dfdc0503e7251b53e27f4860f9b8c07127bc575682b1f331fb59885b1149dd6cbf0d19412373f77ff4691c0292f6fcc686019011a

                                              • C:\Users\Admin\AppData\Local\TempXDVUQ.bat

                                                Filesize

                                                163B

                                                MD5

                                                ba84db195f7d472229e4051ea0002f24

                                                SHA1

                                                d4d7b780d5273d1ec9c7fcdd6bef49c2696b6619

                                                SHA256

                                                91347d6d3afdbd3df151cdb3f91f2aaecfa09cd10ec6939ed211121d84b06dd7

                                                SHA512

                                                a05bffc253cc8028a9865c41670890a9cd966f5dea22c035d2cc991eb8fd573b924540b65de414f1867e3a9bed490eb09af16f3aab2fecd94563a03252788984

                                              • C:\Users\Admin\AppData\Local\TempXDVUQ.bat

                                                Filesize

                                                163B

                                                MD5

                                                4004805be9425a828f1421bab4a3a78b

                                                SHA1

                                                b8a6fc4e959fdff961ce6aab8090fd1809c19590

                                                SHA256

                                                967b88ff41ccebf1a53fa4b1085ae1805561464d535440c5598d4e9072721aa7

                                                SHA512

                                                37625ff599536cedc336402ed823bbaf31b7d12c05a87e674cfb4f0fbfa7b2a6386f66eecd0373c43d9ab9637c2127c66fc31de07235be3baac2aaf0b1f193b0

                                              • C:\Users\Admin\AppData\Local\TempXSSHQ.bat

                                                Filesize

                                                163B

                                                MD5

                                                ab783518bacc2f458db40182ced8fbd6

                                                SHA1

                                                eb52c1b4d705d906ad71f726d5253c16b8f231ce

                                                SHA256

                                                48172211812a82bfac83fd33628ad41781aad202c46658e9f81ac0d0b294c5f1

                                                SHA512

                                                dbe97dc0a8cb018bd4c78231cc5c33ab413ffce7cd1151ce9d31e278615d8c8584debe67702e6191008b1bcd3935e93332ddcf79a8e046145d12a2c828c377b0

                                              • C:\Users\Admin\AppData\Local\TempXUASW.bat

                                                Filesize

                                                163B

                                                MD5

                                                ea4303efde76629374de6b11952f9e27

                                                SHA1

                                                3107eff0d36f21f7ff7fd8cf4ea91375af22b860

                                                SHA256

                                                8808e26f855e6a99c32e3d722231b39a8cba3af20129903699ba980ae759e521

                                                SHA512

                                                7c46ab22a890c541bf17af1bf859b750fe149483654c863c75bf9c33f5681326cf73b57758dec6b6d6fb17d343dd51ba6857f4af9fd04f5f1dbf68619033714b

                                              • C:\Users\Admin\AppData\Local\TempYWFFY.bat

                                                Filesize

                                                163B

                                                MD5

                                                b632669968060dccd2ae955be6878baf

                                                SHA1

                                                3d6eefd207e05e90bc63ac56341fb73daf6cd6f1

                                                SHA256

                                                976e6b6f8a7db757916c260a4ef9fa037099f6f0314c826ba34206b3466bb09c

                                                SHA512

                                                eacf0ed4f7b5b42bdce234d541f8b54d353eb7e973e58e22e09a7ce05ed6b1deb6af96e7f6908bdf8e2886461c944d24be2315d828dcdb4df38b65a16cd592fd

                                              • C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                4788af33b6abd9dcd4f7f33c7c9a8859

                                                SHA1

                                                230150b664aa4c22ca455a396ad195e3c7cabaab

                                                SHA256

                                                ba5c3a51a2b321163bef5030983d78d6ef8dbe086ad591c5e89d3231ce0ec4c1

                                                SHA512

                                                bf93a15a6f0199499e475a688d89d56cf3a289ac164da0f6d4dcc072f3f8750ec2c430e970a9b2e981becc4bbb33e282579e707a78efe8730dc9494ed3390a4c

                                              • C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                b3a9cf21b0b73b79fb99452414bcae2e

                                                SHA1

                                                94f36ac744258f4e7991683e91a8215f0017a4f9

                                                SHA256

                                                d9db6b29db918532ffd684105b2bf976d8e6b63b22946a94040c0b57f9616024

                                                SHA512

                                                ca969a09db3de21ada2d0c61fcc67e63cd25cd7cbc9f86656b92fad163841def10a0a17d22ce246bbc280cad15ef4c9889e5f206483bdb5bc750d919f69a1394

                                              • C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                c4d4763724133add0c6ae95be709ea75

                                                SHA1

                                                03d10376801dbbb15ce648121cf500e4992d0dd5

                                                SHA256

                                                9a30d3d0245088eeb3a06b9d9e85a67807ff2dfeba97681769a09ae5e5b9074c

                                                SHA512

                                                ee25d6925b3316664d306b23b64ff46fd5939bb4e8c09a26fc71f5b3ae3e9836b821ce94a4af46d6ec3b9c0bde56d362866e9d14d3d7241fcac602e29cf44911

                                              • C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                99fe29f7615dce583027855a13598d93

                                                SHA1

                                                67a37e292d45a834077f85cb632a179ef59d3ad3

                                                SHA256

                                                23a98274b5b64a004c17ac31e5b1d5d96755905801c3dfc9dd5b96a8ab521e42

                                                SHA512

                                                a95fd0389c55c0a03d7bc0db4d05fc2128c15b600d485e85fe11082e2711f79f7c91e78d91d7d0b3259ff07b3bae0fa2ac904275ab05775b20bec446b2e270dd

                                              • C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                b6fc8cc69d00b5c17ae4e0efcfec25d0

                                                SHA1

                                                5b1bf3cc63bbf99dc327340b331c7a37ea3bb705

                                                SHA256

                                                792910fe0fb379e874f2d319200561844c145165991f3f2dfb47874f152ac3ed

                                                SHA512

                                                ae2ea0de7daddd51c0ddef389e76f17bfe728ef565759d339cc72839d273f78f84267220aa44bce7ddc1fcc02fff484586b3da07816dd8aafc5c4f13903383fc

                                              • \Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                049bfded15e4f241766d4fb6fcd52418

                                                SHA1

                                                85c1abdf3111a7c0d77ee98b3418fba90895d0ff

                                                SHA256

                                                884c73c22731585ec7d33d6f35587a398870dafae833b691044c7e576ed90420

                                                SHA512

                                                b2691223ee7decd2e1eee89cd092ffd4062dedfc0976219fad5ca4d4f462554af70ca79a3f324f26e2a7b9029837b199b5f9770cd5e9d15a1890dc3807088ac2

                                              • \Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                bfeee6cc665c6b156a6a04c44c8c8740

                                                SHA1

                                                d1f833dbe781ed6e762cc585d83ba900fd3129e8

                                                SHA256

                                                00b682423b8addd112ce5a2553efd19be83ac3facc9917438e2809a1672f17e1

                                                SHA512

                                                049302321e8850b6f17843a7c9c041e85de5d47d5294dd40a96540ed8b5fd86215330467dcd87cabaf593fc635f3c3103a2db16ba7e6a295a5a00fa02ac09ab6

                                              • \Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                50063ef51634c8123e50d1f22fbd4d68

                                                SHA1

                                                28a386f89ffe8a4e951c6aa5567bb9cf7b859472

                                                SHA256

                                                c0ec00cc26c266f4a4c3daf1549bb05638f15a2a52fd24da33ceaff02ade3be5

                                                SHA512

                                                407fe1f9340c1110737f4f30086daaff2a5d32af9c573c5495cdb9bf7fa116392e73b9c9a1bd5b58870aeaf6d8492359160113e166e23bdf1ffc4dee53dda8e8

                                              • \Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                493ebe937683248ec490a528a62b2829

                                                SHA1

                                                b51c315edd249f91b96c90a8f544ba69878fe93e

                                                SHA256

                                                eacdd17d777b4a35473736e82151aec51e613c1479621a94ce6f0aea20a6ba03

                                                SHA512

                                                96a587a4cfc2f0d2ed3ae4d9260ee7a69693d16bd018b9172b2621fef4f8cd6bc1cdee1ff9d19a20b5fb25f67f6e9a83f40736fc3681cef9e2fa3ce126bcb046

                                              • \Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                a593f4e82ac5efccc99f48d25d524911

                                                SHA1

                                                dee80a4d8abf99554c52f09c145cdd9234f2304b

                                                SHA256

                                                f15dbcca617bd637285762c6bc390f0884f63cfe9583ef9287a72c679ce299d1

                                                SHA512

                                                d187c3aebf621c8d43f87f1f83c83e8bb07b99ade83f1665ab882bf8b2c550c855cdb5ec651da59730ca3aa74e546d8dac4b49aabedbf072ff157a83797d607d

                                              • \Users\Admin\AppData\Local\Temp\ORHBXGPFLDULJAU\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                93f5b52895b35db5e521d05e5ab562ee

                                                SHA1

                                                88fe6ceac3333917bb16c71635caf1a2ec5b5454

                                                SHA256

                                                12e806e31e02ebbdc35bd380804f522c227de044cb0c311e56ab548a2294eba7

                                                SHA512

                                                b94b710032468d120feb8ee72bfdc30f46b7540a90d0893bcae65a9316280e11a611c9e7d328efac9831d88bfb0151b3f3b1c5028a8269f0cb059db161c60b51

                                              • \Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                993193be57ca1b0d83c7e70642c48c95

                                                SHA1

                                                c4e349e302882f5d716654c2b523e82e20a8b97c

                                                SHA256

                                                3a16e9872aea757ae4f913e122b50bb393e659365c512f03aecaa54f62457568

                                                SHA512

                                                1ecb48e60ba6e56dbb84332ca0e217553b0597c77d6b30ddc99dc4c4274c59c3a974541d6cd72373ba8961141883a7aed6cb45ba5253cd62579cdac0ef018118

                                              • \Users\Admin\AppData\Local\Temp\TNGMTEFSYPXLWMI\service.exe

                                                Filesize

                                                520KB

                                                MD5

                                                ae35509ed8049a2941860608b097338a

                                                SHA1

                                                f6d2c0349ef365b9e13abd7f8da146a2afa03d4a

                                                SHA256

                                                5ee6a08082883320a116451913f08f66731622425facc4e949957414eb827e43

                                                SHA512

                                                216d2764d31d01e99719c0bd189c54ad57135c3ac80dece2bb99847f721c247ec017ef0e9f0346661c6051c62140f58d819787befa8059422aad0c0d1fb4fb6b

                                              • memory/2552-1170-0x0000000000400000-0x0000000000471000-memory.dmp

                                                Filesize

                                                452KB

                                              • memory/2552-1175-0x0000000000400000-0x0000000000471000-memory.dmp

                                                Filesize

                                                452KB

                                              • memory/2552-1178-0x0000000000400000-0x0000000000471000-memory.dmp

                                                Filesize

                                                452KB

                                              • memory/2552-1179-0x0000000000400000-0x0000000000471000-memory.dmp

                                                Filesize

                                                452KB

                                              • memory/2552-1180-0x0000000000400000-0x0000000000471000-memory.dmp

                                                Filesize

                                                452KB

                                              • memory/2552-1182-0x0000000000400000-0x0000000000471000-memory.dmp

                                                Filesize

                                                452KB

                                              • memory/2552-1183-0x0000000000400000-0x0000000000471000-memory.dmp

                                                Filesize

                                                452KB

                                              • memory/2552-1184-0x0000000000400000-0x0000000000471000-memory.dmp

                                                Filesize

                                                452KB