blackshades | 3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba

Analysis

max time kernel
148s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe
Size

520KB
MD5

231b70e02dcab0e5f503c58166606891
SHA1

56af8431911a339fcbfa02bd70dfb0a7ac3e63b6
SHA256

3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba
SHA512

5d0dc0beaccb04b0fe8f94937f5d7de6b19e0e941f39bf7dd69404d02ab036ba2d42c9d1f89a554042d383e6d86902ba8446797c0b131009b0f7d3ac201afe3a
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXM:zW6ncoyqOp6IsTl/mXM

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 5 IoCs

resource	yara_rule
behavioral1/memory/1280-1777-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1280-1782-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1280-1783-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1280-1785-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1280-1786-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\AJXSBVXLQVBCIAF\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXSBVXLQVBCIAF\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Executes dropped EXE 64 IoCs

pid	Process
2236	service.exe
2812	service.exe
2220	service.exe
536	service.exe
2080	service.exe
820	service.exe
1360	service.exe
744	service.exe
2428	service.exe
2764	service.exe
2676	service.exe
2360	service.exe
1628	service.exe
348	service.exe
1916	service.exe
1492	service.exe
2224	service.exe
2740	service.exe
2628	service.exe
660	service.exe
272	service.exe
2928	service.exe
1568	service.exe
688	service.exe
2092	service.exe
2376	service.exe
2404	service.exe
2792	service.exe
2148	service.exe
1412	service.exe
1576	service.exe
288	service.exe
1264	service.exe
304	service.exe
740	service.exe
1588	service.exe
2768	service.exe
2632	service.exe
2812	service.exe
2592	service.exe
1636	service.exe
2620	service.exe
2940	service.exe
572	service.exe
1592	service.exe
744	service.exe
2380	service.exe
2096	service.exe
1408	service.exe
1156	service.exe
2104	service.exe
1736	service.exe
2600	service.exe
1416	service.exe
2612	service.exe
1696	service.exe
2428	service.exe
2888	service.exe
2956	service.exe
576	service.exe
1892	service.exe
1044	service.exe
296	service.exe
3048	service.exe

Loads dropped DLL 64 IoCs

pid	Process
2016	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe
2016	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe
2236	service.exe
2236	service.exe
2812	service.exe
2812	service.exe
2220	service.exe
2220	service.exe
536	service.exe
536	service.exe
2080	service.exe
2080	service.exe
820	service.exe
820	service.exe
1360	service.exe
1360	service.exe
744	service.exe
744	service.exe
2428	service.exe
2428	service.exe
2764	service.exe
2764	service.exe
2676	service.exe
2676	service.exe
2360	service.exe
2360	service.exe
1628	service.exe
1628	service.exe
348	service.exe
348	service.exe
1916	service.exe
1916	service.exe
1492	service.exe
1492	service.exe
2044	service.exe
2044	service.exe
2740	service.exe
2740	service.exe
2628	service.exe
2628	service.exe
660	service.exe
660	service.exe
272	service.exe
272	service.exe
2928	service.exe
2928	service.exe
1568	service.exe
1568	service.exe
688	service.exe
688	service.exe
2092	service.exe
2092	service.exe
2376	service.exe
2376	service.exe
2404	service.exe
2404	service.exe
2792	service.exe
2792	service.exe
2148	service.exe
2148	service.exe
1412	service.exe
1412	service.exe
1576	service.exe
1576	service.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBYTSABU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HAQHRNICCRSPYKQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFDHCKVWSQSIVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGAAPQNWIO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JIVCLVSDXKDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHMTFFTYAQYMWN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\YMNIGJMTCOTDPBY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBQUGHENFKYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XVTYLBPLIXNANPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SUKECJTJOGXOCMD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HRNIYRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUTJTMLNDIWVHQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQMANYVBTXSOPCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WONVKJKGEKGWJRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\BNTYJHLGODEWUDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTQKFAEUVSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\TGKGDUSIIKFCDMI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKXTBWYMQVCDAJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\PLMXUASWRNOBHOO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNMUJIJFDKFVIQK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVWKWHGKYBMRYKA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YEXHTTUPNUQFTBJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JIVCLVTDYKEXEVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTYAQYMXN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EGBBWRFMHLITQOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUQTWUXINSAFCRR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\BYMYJIMDNTLCCEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVUWRPWSHVDLCX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XUTXKBOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUKDCJSIOFWNCMC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\NSOCPAXDVUQREKR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPXLLMHGMIYLSC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBYUSBBU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCRSQYKQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VVJKFDGWJQALQAN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BLYUCXNRWDEBKCH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VRFRDBFYXTUHMTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCOOPKIPLAOVFQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DNSLBBDFTBPOAID = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DQMYPSRTFJOCNWN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XLMHGIYLTCNSCPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENWFBPTFGDMEJYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACWSNBWIXCHXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYOSQTEJOBNVN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\KXGHSYPNRMUIJBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIYHPDDEEAVQDKF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\YAWUMCQMJYOBOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TVLFDKUKPHYPDNE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPCYJEJYWGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQUSUGKQDAPXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JFERHVROTGTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDIPYBBPUMUIS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\IYWFFRXNLPKSGIY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCBDXDTOCJE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKFETUSAB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ETURABMSXJHLGOC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLDJQBCPVMUJTJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAJXTQBVIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFKRDDRWOWKVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XLMHFIYLSBNSCOA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DNWEBPTYFGDMEJX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCDAIBGUUIJECFU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\PCGCAQWOFFHCIWE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYKLIQCJN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HRNIYRDSCRSQYKR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LGVTJTNLOEJXWIQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\PMAMXUASWRNOBHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJIKFDKFVJQK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\YLNIGIYMTCOSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBPUGHEMFJYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\YWAOESNLQDQSNGJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNHFMVLRJRFPGB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQDLCUMIDTMNWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEJBSJIS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JNSAFDRRFGBCXRF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWHTSTPNUPFSAJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HMIJURPTOWKLELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRFFGBAGCXSFM\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\IXYVEFQWNLPKSGH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OGWFNBBCXCTOBID\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\RVSGSDCGYXUVHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPOQLJQMBPWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPDYKEJXGRYO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESOQUSVGLQDAPXP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MBVRMAVHWCGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRPSDINAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQCKCTLHCSMMWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHFIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WBXLYJIMDNTLCBD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GYJVUVQPVRHUCLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EYDOLKOBFBPVNED = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRAYTJWEN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GHENFKYAYMNIGJM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJBHOXANTKSHRH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ETURABMSXJHLGOC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLDJQCCPVNVJTJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\RNOBHOOXSSHQDYC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CPLYOYSQSEIOBNV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UTHIECEUHPJOLWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXSBVXLQVBCIAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MBVRMAVHWBGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXNYRPSDINAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HIFNAGLBMOJHKNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWPUNDNHFHYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPBJBTKHBRLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMDNGFHXUUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\QVCDAJBGUUIJECF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWEMDY\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\FERHVROTGTVAQJN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDIPBBPUMUISJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\TYUIVGEJWXAKQXX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WDVFRRSNMSOERYI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\BDGRSOMOERITYJV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVLMKSEKP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DQGUQNSFSUPIMNW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLCULIDWMNKTFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XENXVFBMGGXQTUG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVCSOPLK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXJGKFNCDVTCDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSPJEETURAA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXJHLGNCDVTCDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCSBJTPKEETURAA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WXUDDOVLJNIQEGY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBRMAHCG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\BDGRTOMPESAIUYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCTLHCWMNKSELQ\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
984	reg.exe
1808	reg.exe
952	reg.exe
1800	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1280	service.exe
Token: SeCreateTokenPrivilege	1280	service.exe
Token: SeAssignPrimaryTokenPrivilege	1280	service.exe
Token: SeLockMemoryPrivilege	1280	service.exe
Token: SeIncreaseQuotaPrivilege	1280	service.exe
Token: SeMachineAccountPrivilege	1280	service.exe
Token: SeTcbPrivilege	1280	service.exe
Token: SeSecurityPrivilege	1280	service.exe
Token: SeTakeOwnershipPrivilege	1280	service.exe
Token: SeLoadDriverPrivilege	1280	service.exe
Token: SeSystemProfilePrivilege	1280	service.exe
Token: SeSystemtimePrivilege	1280	service.exe
Token: SeProfSingleProcessPrivilege	1280	service.exe
Token: SeIncBasePriorityPrivilege	1280	service.exe
Token: SeCreatePagefilePrivilege	1280	service.exe
Token: SeCreatePermanentPrivilege	1280	service.exe
Token: SeBackupPrivilege	1280	service.exe
Token: SeRestorePrivilege	1280	service.exe
Token: SeShutdownPrivilege	1280	service.exe
Token: SeDebugPrivilege	1280	service.exe
Token: SeAuditPrivilege	1280	service.exe
Token: SeSystemEnvironmentPrivilege	1280	service.exe
Token: SeChangeNotifyPrivilege	1280	service.exe
Token: SeRemoteShutdownPrivilege	1280	service.exe
Token: SeUndockPrivilege	1280	service.exe
Token: SeSyncAgentPrivilege	1280	service.exe
Token: SeEnableDelegationPrivilege	1280	service.exe
Token: SeManageVolumePrivilege	1280	service.exe
Token: SeImpersonatePrivilege	1280	service.exe
Token: SeCreateGlobalPrivilege	1280	service.exe
Token: 31	1280	service.exe
Token: 32	1280	service.exe
Token: 33	1280	service.exe
Token: 34	1280	service.exe
Token: 35	1280	service.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2016	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe
2236	service.exe
2812	service.exe
2220	service.exe
536	service.exe
2080	service.exe
820	service.exe
1360	service.exe
744	service.exe
2428	service.exe
2764	service.exe
2676	service.exe
2360	service.exe
1628	service.exe
348	service.exe
1916	service.exe
1492	service.exe
2044	service.exe
2740	service.exe
2628	service.exe
660	service.exe
272	service.exe
2928	service.exe
1568	service.exe
688	service.exe
2092	service.exe
2376	service.exe
2404	service.exe
2792	service.exe
2148	service.exe
1412	service.exe
1576	service.exe
288	service.exe
1264	service.exe
304	service.exe
740	service.exe
1588	service.exe
2768	service.exe
2632	service.exe
2812	service.exe
2592	service.exe
1636	service.exe
2620	service.exe
2940	service.exe
572	service.exe
1592	service.exe
744	service.exe
2380	service.exe
2096	service.exe
1408	service.exe
1156	service.exe
2104	service.exe
1736	service.exe
2600	service.exe
1416	service.exe
2612	service.exe
1696	service.exe
2428	service.exe
2888	service.exe
2956	service.exe
576	service.exe
1892	service.exe
1044	service.exe
296	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2420	2016	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	30
PID 2016 wrote to memory of 2420	2016	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	30
PID 2016 wrote to memory of 2420	2016	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	30
PID 2016 wrote to memory of 2420	2016	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	30
PID 2420 wrote to memory of 1908	2420	cmd.exe	32
PID 2420 wrote to memory of 1908	2420	cmd.exe	32
PID 2420 wrote to memory of 1908	2420	cmd.exe	32
PID 2420 wrote to memory of 1908	2420	cmd.exe	32
PID 2016 wrote to memory of 2236	2016	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	33
PID 2016 wrote to memory of 2236	2016	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	33
PID 2016 wrote to memory of 2236	2016	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	33
PID 2016 wrote to memory of 2236	2016	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	33
PID 2236 wrote to memory of 3020	2236	service.exe	34
PID 2236 wrote to memory of 3020	2236	service.exe	34
PID 2236 wrote to memory of 3020	2236	service.exe	34
PID 2236 wrote to memory of 3020	2236	service.exe	34
PID 3020 wrote to memory of 2484	3020	cmd.exe	36
PID 3020 wrote to memory of 2484	3020	cmd.exe	36
PID 3020 wrote to memory of 2484	3020	cmd.exe	36
PID 3020 wrote to memory of 2484	3020	cmd.exe	36
PID 2236 wrote to memory of 2812	2236	service.exe	37
PID 2236 wrote to memory of 2812	2236	service.exe	37
PID 2236 wrote to memory of 2812	2236	service.exe	37
PID 2236 wrote to memory of 2812	2236	service.exe	37
PID 2812 wrote to memory of 2652	2812	service.exe	38
PID 2812 wrote to memory of 2652	2812	service.exe	38
PID 2812 wrote to memory of 2652	2812	service.exe	38
PID 2812 wrote to memory of 2652	2812	service.exe	38
PID 2652 wrote to memory of 808	2652	cmd.exe	40
PID 2652 wrote to memory of 808	2652	cmd.exe	40
PID 2652 wrote to memory of 808	2652	cmd.exe	40
PID 2652 wrote to memory of 808	2652	cmd.exe	40
PID 2812 wrote to memory of 2220	2812	service.exe	41
PID 2812 wrote to memory of 2220	2812	service.exe	41
PID 2812 wrote to memory of 2220	2812	service.exe	41
PID 2812 wrote to memory of 2220	2812	service.exe	41
PID 2220 wrote to memory of 1924	2220	service.exe	42
PID 2220 wrote to memory of 1924	2220	service.exe	42
PID 2220 wrote to memory of 1924	2220	service.exe	42
PID 2220 wrote to memory of 1924	2220	service.exe	42
PID 1924 wrote to memory of 2408	1924	cmd.exe	44
PID 1924 wrote to memory of 2408	1924	cmd.exe	44
PID 1924 wrote to memory of 2408	1924	cmd.exe	44
PID 1924 wrote to memory of 2408	1924	cmd.exe	44
PID 2220 wrote to memory of 536	2220	service.exe	45
PID 2220 wrote to memory of 536	2220	service.exe	45
PID 2220 wrote to memory of 536	2220	service.exe	45
PID 2220 wrote to memory of 536	2220	service.exe	45
PID 536 wrote to memory of 1628	536	service.exe	47
PID 536 wrote to memory of 1628	536	service.exe	47
PID 536 wrote to memory of 1628	536	service.exe	47
PID 536 wrote to memory of 1628	536	service.exe	47
PID 1628 wrote to memory of 2168	1628	cmd.exe	49
PID 1628 wrote to memory of 2168	1628	cmd.exe	49
PID 1628 wrote to memory of 2168	1628	cmd.exe	49
PID 1628 wrote to memory of 2168	1628	cmd.exe	49
PID 536 wrote to memory of 2080	536	service.exe	50
PID 536 wrote to memory of 2080	536	service.exe	50
PID 536 wrote to memory of 2080	536	service.exe	50
PID 536 wrote to memory of 2080	536	service.exe	50
PID 2080 wrote to memory of 348	2080	service.exe	51
PID 2080 wrote to memory of 348	2080	service.exe	51
PID 2080 wrote to memory of 348	2080	service.exe	51
PID 2080 wrote to memory of 348	2080	service.exe	51

C:\Users\Admin\AppData\Local\Temp\3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe
"C:\Users\Admin\AppData\Local\Temp\3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempYRXJF.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DNSLBBDFTBPOAID" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1908
- C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe
  "C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempMHMIU.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JNSAFDRRFGBCXRF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2484
- - C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe
    "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempOVLJN.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAVHWBGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:808
  - - C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe
      "C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIPKPL.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1924
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VCDAIBGUUIJECFU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:2408
    - - C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:536
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGBHVD.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EYDOLKOBFBPVNED" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:2168
      - C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIACQM.bat" "
        7⤵
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIVGEJWXAKQXX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WDVFRRSNMSOERYI\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\WDVFRRSNMSOERYI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WDVFRRSNMSOERYI\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGFJWA.bat" "
        8⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRSOMOERITYJV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSEKP\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSEKP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSEKP\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKXFOF.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBYTSABU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAQHRNICCRSPYKQ\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\HAQHRNICCRSPYKQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HAQHRNICCRSPYKQ\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMOXTA.bat" "
        10⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JFERHVROTGTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDIPYBBPUMUIS\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\YQKDIPYBBPUMUIS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQKDIPYBBPUMUIS\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUGANW.bat" "
        11⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RVSGSDCGYXUVHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMQLTH.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPDYKEJXGRYO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUPYPE.bat" "
        13⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMIJURPTOWKLELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRFFGBAGCXSFM\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\SKJRFFGBAGCXSFM\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SKJRFFGBAGCXSFM\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDXBMK.bat" "
        14⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVWSQSIVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XLMHGIYLTCNSCPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENWFBPTFGDMEJYA\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\ENWFBPTFGDMEJYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENWFBPTFGDMEJYA\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSFCRR.bat" "
        16⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DQGUQNSFSUPIMNW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLCULIDWMNKTFLQ\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\CLCULIDWMNKTFLQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLCULIDWMNKTFLQ\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPWMKO.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACWSNBWIXCHXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDVURR.bat" "
        18⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YMNIGJMTCOTDPBY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHENFKYA\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHENFKYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHENFKYA\service.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAHHQM.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IYWFFRXNLPKSGIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe"
        19⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempACESA.bat" "
        20⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVWKWHGKYBMRYKA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOVLJN.bat" "
        21⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAVHWCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXCUUQ.bat" "
        22⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XLMHFIYLSBNSCOA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRSXEF.bat" "
        23⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JIVCLVTDYKEXEVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWFFOK.bat" "
        24⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WXUDDOVLJNIQEGY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "
        25⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCPAXDVUQREKR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPXLLMHGMIYLSC\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\YQPXLLMHGMIYLSC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQPXLLMHGMIYLSC\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSRDMD.bat" "
        26⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PCGCAQWOFFHCIWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKLIQCJN\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\AIRJFATYKLIQCJN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKLIQCJN\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLUQDA.bat" "
        27⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWAOESNLQDQSNGJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe" /f
        28⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNVJKK.bat" "
        28⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EGBBWRFMHLITQOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKLUQD.bat" "
        29⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOESOMRDQSOG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe" /f
        30⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRSXDE.bat" "
        30⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JIVCLVSDXKDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAJXFT.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PNMQDHDBRXPGFID" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe" /f
        32⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTDOTD.bat" "
        32⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GHENFKYAYMNIGJM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTKSHRH\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTKSHRH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTKSHRH\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKXFOF.bat" "
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBYUSBBU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKQ\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKQ\service.exe"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVGFJX.bat" "
        34⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRTOMPESAIUYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELQ\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELQ\service.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTBPOA.bat" "
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYMYJIMDNTLCCEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe" /f
        36⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYGPGE.bat" "
        36⤵
        
        PID:296
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WIFJEMBYCUSBCVK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIROJDDSTQLR\service.exe" /f
        37⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\IBQAIROJDDSTQLR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBQAIROJDDSTQLR\service.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDPTEQ.bat" "
        37⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HIFNAGLBMOJHKNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFHYUVD\service.exe" /f
        38⤵
        Adds Run key to start application
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFHYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFHYUVD\service.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDHIRN.bat" "
        38⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVTYLBPLIXNANPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SUKECJTJOGXOCMD\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\SUKECJTJOGXOCMD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SUKECJTJOGXOCMD\service.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJSNWN.bat" "
        39⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXGHSYPNRMUIJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe" /f
        40⤵
        Adds Run key to start application
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRDSCRSQYKR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe" /f
        41⤵
        Adds Run key to start application
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKSFLQ.bat" "
        41⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCTLHCSMMWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHFIYUVD\service.exe" /f
        42⤵
        Adds Run key to start application
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHFIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHFIYUVD\service.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVCTMR.bat" "
        42⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYXTVHNUUFYNWJI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUBBHAE\service.exe" /f
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUBBHAE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUBBHAE\service.exe"
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDGHRM.bat" "
        43⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKBOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUKDCJSIOFWNCMC\service.exe" /f
        44⤵
        Adds Run key to start application
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\RUKDCJSIOFWNCMC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUKDCJSIOFWNCMC\service.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
        44⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBTKHBRLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe"
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYAHHQ.bat" "
        45⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IXYVEFQWNLPKSGH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe" /f
        46⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDWUDD.bat" "
        46⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ETURABMSXJHLGOC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe" /f
        47⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe"
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOXTSH.bat" "
        47⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMAMXUASWRNOBHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe" /f
        48⤵
        Adds Run key to start application
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe" /f
        49⤵
        Adds Run key to start application
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUTJTMLNDIWVHQ\service.exe" /f
        50⤵
        Adds Run key to start application
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\KGUTJTMLNDIWVHQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUTJTMLNDIWVHQ\service.exe"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFTBPO.bat" "
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WBXLYJIMDNTLCBD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GYJVUVQPVRHUCLC\service.exe" /f
        51⤵
        Adds Run key to start application
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\GYJVUVQPVRHUCLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GYJVUVQPVRHUCLC\service.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEWUDE.bat" "
        51⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FUVSBBNTYKHLHOD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe" /f
        52⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe"
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPPYAT.bat" "
        52⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMANYVBTXSOPCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKGEKGWJRA\service.exe" /f
        53⤵
        Adds Run key to start application
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\WONVKJKGEKGWJRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WONVKJKGEKGWJRA\service.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVIPKP.bat" "
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVCDAJBGUUIJECF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe" /f
        54⤵
        Adds Run key to start application
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe"
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDVUCD.bat" "
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ETURABMSXJHLGOC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe" /f
        55⤵
        Adds Run key to start application
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEIJSO.bat" "
        55⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YAWUMCQMJYOBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDNE\service.exe" /f
        56⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDNE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDNE\service.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHEMFK.bat" "
        56⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XENXVFBMGGXQTUG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe" /f
        57⤵
        Adds Run key to start application
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLPQVB.bat" "
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe" /f
        58⤵
        Adds Run key to start application
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYVBTX.bat" "
        58⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVJKFDGWJQALQAN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BLYUCXNRWDEBKCH\service.exe" /f
        59⤵
        Adds Run key to start application
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\BLYUCXNRWDEBKCH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BLYUCXNRWDEBKCH\service.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXMIQI.bat" "
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYJHLGODEWUDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAEUVSB\service.exe" /f
        60⤵
        Adds Run key to start application
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAEUVSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAEUVSB\service.exe"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "
        60⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe" /f
        61⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe"
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKTFLQ.bat" "
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQDLCUMIDTMNWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe" /f
        62⤵
        Adds Run key to start application
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWVHPH.bat" "
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TGKGDUSIIKFCDMI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKXTBWYMQVCDAJB\service.exe" /f
        63⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\BKXTBWYMQVCDAJB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKXTBWYMQVCDAJB\service.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLHQHE.bat" "
        63⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJGKFNCDVTCDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe" /f
        64⤵
        Adds Run key to start application
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFYYNW.bat" "
        64⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VRFRDBFYXTUHMTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe" /f
        65⤵
        Adds Run key to start application
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe"
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXSSHQ.bat" "
        65⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLMXUASWRNOBHOO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe" /f
        66⤵
        Adds Run key to start application
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
        66⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLNIGIYMTCOSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe" /f
        67⤵
        Adds Run key to start application
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe"
        66⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMNXTA.bat" "
        67⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDRHUQOTGTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOUMTIS\service.exe" /f
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOUMTIS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOUMTIS\service.exe"
        67⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAHIQM.bat" "
        68⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFFRXOLQLSHIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHXGOCCDXDUPCJE\service.exe" /f
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\OHXGOCCDXDUPCJE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OHXGOCCDXDUPCJE\service.exe"
        68⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "
        69⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKQDAPXO\service.exe" /f
        70⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKQDAPXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKQDAPXO\service.exe"
        69⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOXTAG.bat" "
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVROTGTVAQJN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUISJ\service.exe" /f
        71⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUISJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUISJ\service.exe"
        70⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
        71⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGNCDVTCDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAA\service.exe" /f
        72⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAA\service.exe"
        71⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVLXIH.bat" "
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGTBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe" /f
        73⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPTTNF.bat" "
        73⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNOBHOOXSSHQDYC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CPLYOYSQSEIOBNV\service.exe" /f
        74⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\CPLYOYSQSEIOBNV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CPLYOYSQSEIOBNV\service.exe"
        73⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRVQYM.bat" "
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UTHIECEUHPJOLWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXSBVXLQVBCIAF\service.exe" /f
        75⤵
        Adds Run key to start application
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\AJXSBVXLQVBCIAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJXSBVXLQVBCIAF\service.exe"
        74⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\AJXSBVXLQVBCIAF\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\AJXSBVXLQVBCIAF\service.exe
        75⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        76⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        77⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\AJXSBVXLQVBCIAF\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXSBVXLQVBCIAF\service.exe:*:Enabled:Windows Messanger" /f
        76⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\AJXSBVXLQVBCIAF\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXSBVXLQVBCIAF\service.exe:*:Enabled:Windows Messanger" /f
        77⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        76⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        77⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        76⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        77⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempACESA.bat

Filesize
163B

MD5
249918268e6ef42d04a028985d50c51c

SHA1
fbf96a7c6c0157633e3600da773b3b2a6c47e24d

SHA256
fbd42312af6ebb120cdbcc8fd5a5c2aa9e967a3a33211aa90e44794921f181f7

SHA512
47607e3b050f6bc14c7bf1fcb79c9323bc7f15236b19df5b12dc18929b8c395cb4cae2ef1a14bbf39ab30106324a3d13966f336f9d2979c89cde22b0c61d42af

Download Submit
C:\Users\Admin\AppData\Local\TempAHIQM.bat

Filesize
163B

MD5
9bb1820cb5e9de2e1e89c4aaf5540dc8

SHA1
442bf6145cb66fd05c1599c614486af21aee2a7c

SHA256
dccb10c05d9e33ea91a4f7c1e2c0c34899549cf29331719b38aec0aa8bcf812d

SHA512
5afa780df70473b9b5bef97955374c7debc1c45efa2b8192d407769b1bdcd88d530f0a98853da5c54596c47a3029acfa3f9b632cbd92ca989affe27cc9ae2f92

Download Submit
C:\Users\Admin\AppData\Local\TempAJXFT.bat

Filesize
163B

MD5
120537d96045d46e2ec2a722f68af997

SHA1
e14c077f5d18ac1ceb39cc6fbea443d10549f1f1

SHA256
707a34b25667e08a7141de1eab266006d310482c59b7ea0b42c472e3beaa18cc

SHA512
2805bb82415c3feb1b5bea94c96e6128cec78f96999ba18a7ac9ab109347df0fbf87aeb89b523e3d10362ad4a111967430d920dbfc5acea73d4ce60773e8c4a3

Download Submit
C:\Users\Admin\AppData\Local\TempDGHRM.bat

Filesize
163B

MD5
54ff3e9db459836675750cd1b5d8464d

SHA1
c0ad00506cb544769c75515770bd5bb68f5fb263

SHA256
a640bb75a934b7e7ab25581c932e3ca853092716e2f1e9628950e14c3ed882d3

SHA512
0abd493cc754dcd4b815fbcb156d8deeddea73f7101cd2aa93c0b40f50ce7a65d1e5e9c63df4fd2344558fb620e78c41c92eeb04b4c7d023c7288084cfe0948b

Download Submit
C:\Users\Admin\AppData\Local\TempDHIRN.bat

Filesize
163B

MD5
2fdcd9d2236a42565c834c18cd746d9c

SHA1
0f8dc5f6fd8766526e95f7dc1af821c880a3d17c

SHA256
e40495cc17620ede5fce1c99444af3d23be9bc642aa1c56f8ca13da953495cca

SHA512
da7dcfc6608bccb7fa4d4fb6c7c680042a306dc1a9ff1b1223045d7869fa3a39701f04a0e4d83f3f12cd306b06d2c11a1d6aa54ae5ee3546c8f7179923a94cf0

Download Submit
C:\Users\Admin\AppData\Local\TempDPTEQ.bat

Filesize
163B

MD5
3683fbac0a1d195e6065dedb52f1307a

SHA1
345c607498414dba6646b652a04eaa11d4002015

SHA256
75b6a2d0662873989d0844c5f43aa5c5333063bdf9629939480b42d42ddd8aad

SHA512
b94c5cd3591ae3a58e2adb8b92fff96e6b0b318c3d9236c1c2ab501c888af9deaa0b2ce9fd39a6442ffcafb1681a79c7ed7791db3c9a4db34398a94b95ba63d5

Download Submit
C:\Users\Admin\AppData\Local\TempDVUCD.bat

Filesize
163B

MD5
e8ae696d996a96811c2b815dd0a4643f

SHA1
d83707a010e437a77b237187abcc82ba170e4ef8

SHA256
1c73bc99f4d3cc74fa23a98fa101cac63020700fa9fd19b279aa45393eef1dd3

SHA512
801d2cd26b0acc727632aab86aab06c4b53f9a88d7cc8fcf39402ea821a8d220bbbec8ca2da46052d0f7d4c6168ba1100c755a89d1f348ea26e6033975140dda

Download Submit
C:\Users\Admin\AppData\Local\TempDVURR.bat

Filesize
163B

MD5
e13ad6160f030f5879e63f316df964f5

SHA1
854b24a8a36247164e70851ad03cfb28fd5e185c

SHA256
d7c550a4067093441233310f5db08a566bc58a8fec7c7325735d460cf0152ff1

SHA512
4a9f1278c6d6439839664b252d3c745c3e5bae29769bf69a2e73fcf01fd2facf732ede047fe463bf4924d96b538b6d0f206b25292d3b354a83b1c918664b29ae

Download Submit
C:\Users\Admin\AppData\Local\TempDWUDD.bat

Filesize
163B

MD5
72ce7929e43f7528ed690d73f205aa68

SHA1
b63579607dd91bc667420333ec6d3b8a11a653e7

SHA256
17d3c6a2fbfa31bb08bdc3f6ad51a3643da11961e251bab56d77fe62c6b0ee20

SHA512
7148dca6ef0a6788d97dd09b97e795b40d548e6deb420d43f8bfee8d5f2a313f79228610114414a8aeb7418eb6093d9457d3d591bd3145e2a38c517907e171e0

Download Submit
C:\Users\Admin\AppData\Local\TempDXBMK.bat

Filesize
163B

MD5
f2cddf9b4c6dc1c004b21edafc8229cd

SHA1
29cdd639f4c179567cb348866c5f6e3dba09d708

SHA256
8f24551e222b7f71fe5abde2e4f575e531c22c7b9d65a5493adba78b9ac040db

SHA512
e2bf4e1ecd1e3ea9c31b09da90f2c7fc0c3b0f826f5ff4ed820c793f892fae68af1e6bca0a8418322ac629f765cc873c5ff81fbb59628e3bdb06d93fdd59b0b0

Download Submit
C:\Users\Admin\AppData\Local\TempEIJSO.bat

Filesize
163B

MD5
604f9a349912404b79f36a00ff580e44

SHA1
44695701694f6859082fda33380e97c86543e0f4

SHA256
8238fb6f37bb7fad279bfdb835e296bbd9dd92e8a340c4cc58b6d7a80d1633ef

SHA512
d9f803b15736c45dfb654eeafc4ff303bb3b0d43557042db6dc08b2134cb45d5eacafbe576947d62276b0552b5383f2b2d177b01bf40aa71ec98b3fb1febde18

Download Submit
C:\Users\Admin\AppData\Local\TempEWUDE.bat

Filesize
163B

MD5
bae62d4d429f12143961f6e8822c4ff2

SHA1
b6cab41386d7b34d92cce3b6a1c8c6d1576ed74a

SHA256
57223b0b9c08f694bafa2ffc0d296ecc91a0748317eab88e9c376f374d2bb8b6

SHA512
3d8bdd512122db6a9386ccee5a5120b49826add3c4d82b056761bd4c80ad7b2fd8eb45145bc62c14885ad99c709fc45cdc38a74f903a1ef66a61abbeeb61bd16

Download Submit
C:\Users\Admin\AppData\Local\TempFTBPO.bat

Filesize
163B

MD5
4184baf23fa921a92871f55e01c85ebd

SHA1
b08c02458a75ef4b505a395a4408cad0728c96a9

SHA256
7228e1874b9a6c36ed8e9524a74ca846bbb7be7aa333ef4b8602c1d61032d43b

SHA512
c6c22c97cc1d372de1624ecf2da1cc346cc5024861b39681c92b0df0da3ad6b17d9d8f9db9502084966435b3206f2028c6ede597d2491567f7cca583f232da8e

Download Submit
C:\Users\Admin\AppData\Local\TempFYYNW.bat

Filesize
163B

MD5
55ae9eaf6bbf34f43d2b174ad6d75110

SHA1
5d828ffea60910fd94a9955fbaf2d31f9deeccfe

SHA256
5e8f4b6191f88b6e94835de40dadc0eb7543bb512cba996049bc01d1fd73359a

SHA512
2aea0961f2890f47b695ad363b7be7414c87a27c7669708f57d32184b42b64a48e9427901a7581db444cc0816313b544c9f36b48b133c1a14ca398c056ba4119

Download Submit
C:\Users\Admin\AppData\Local\TempGBHVD.bat

Filesize
163B

MD5
fc4fc4d0e67121ad7c4abfe5e5e1a17b

SHA1
5c85394b9f2aa5972caab7d5f3e1730b143a05f9

SHA256
f5b5a300415e73e733e16403c35df1f1cc3957bd86cde08570adeaf45d904b17

SHA512
e57b463c78f1b96e1030f8973a404437c833271a878577b73bbbea0918f3ad263950dfa169dcf01380a01a24f1a2873370f89c09e4277cd95cabdbb277afd3d0

Download Submit
C:\Users\Admin\AppData\Local\TempGFJWA.bat

Filesize
163B

MD5
f342746ed0e97ae4805a0dcbd22f6711

SHA1
389aa2b56393e8521feeb335d0b448ff9febf2d1

SHA256
6409a6c8d8f94ef78633fd17806d1ffe6df0b931a90e4bd9816b840f018925c6

SHA512
89fcc183b55e271ecd36cbaa72a64b92b910beff322cdfd6677049fa7839acb39c7f5b45e84ece54cf574734f421ce2d6e1258e8e3337057d1bbb3a47e976d75

Download Submit
C:\Users\Admin\AppData\Local\TempHEMFK.bat

Filesize
163B

MD5
da000290cd4c1570246e10c52c706ded

SHA1
1e9325069f98ba2de00632d0e24ff9a7887289a3

SHA256
8cc1c7e35601b97c9181ab01760b6408638d34c43d5b3c6a7f3c03dece510e30

SHA512
572ab3671a5c1c1be91f06ffc02ab5e0ce869734ff704ec090f3ceb5db4f0308151162518abc3cadfe5bb2cbdf9184bd2609ba28361b2f371b7fb9137797bcda

Download Submit
C:\Users\Admin\AppData\Local\TempIACQM.bat

Filesize
163B

MD5
b1bfd48c53d96b111ceee3fc4b8a4da9

SHA1
a89a06d03b1f3cf5ac30569c84fff43b1cf05da6

SHA256
0c362dca25f742d4685e2458e7453817b2627db548cb609549a7f1348bff5f36

SHA512
79d300411c0653ab91d6e4fcd6c159e5e56822595f9ab10bb8791d0a0c3a22954a8367c8dd19d7ef2ec7ce9058d74692fa93b0c8ce8f576a25086d43573ae98a

Download Submit
C:\Users\Admin\AppData\Local\TempIPKPL.bat

Filesize
163B

MD5
b26ffee740df60855c8a0d0fedeb043e

SHA1
48f9e962abac440e5a93810f0e4880bcf56d7cc3

SHA256
4b7a9e123448332eedcf14d811ed56eaf68ed243466715ca37fc2c958a065e22

SHA512
e3d53123fcaaa956ecb3ab9e913e2e7269562c2bd30ee8a57cd23094207fcd1c888d80b7806536d980b39267624a7259c4ab2f9725667156eb72f79fcb2ddabf

Download Submit
C:\Users\Admin\AppData\Local\TempJSNWN.bat

Filesize
163B

MD5
ee8e024e3fa98ca90d73c83a2dc91f46

SHA1
1f1b115ccbc4e85647fdcc90adfac5afe6639ab3

SHA256
99fbe30c0f81cf6cef8df23964828c71485f996912067a132955bff5859b4b4b

SHA512
150461dc208fa543f2f8e058cc84b9793a6f6171724e22d7a41642e7fdaa97841ad9c4b2f7ae87295820ff9105e729295fd87eb048435df37d1a0a40d6b12d94

Download Submit
C:\Users\Admin\AppData\Local\TempKLUQD.bat

Filesize
163B

MD5
cc54c063de161646c82178302471fae0

SHA1
6253e70eaf3f8ce5d57137446d558f866601be05

SHA256
cb95130a5218b66f6772011e7d50e1d73fb1b5acfbf08ee5a4b05b601cc085bf

SHA512
c3c94124503d19f70a729a56ff788768aaebf502d3572cf1d5f050ee74bd5d7f5a040e6dc39f39133852ee3d44e0f7ef2e3fede6cc683db7bf043c772d5998c4

Download Submit
C:\Users\Admin\AppData\Local\TempKSFLQ.bat

Filesize
163B

MD5
9908f25a4b21479670cd8b26e43eebc8

SHA1
d9e8ab8de17e76da16add3ed9ac9ebd723b23a2a

SHA256
a2edaa3bb568e4a0c10822f588e0c3d115c576aa7c125ae8201aefe888866890

SHA512
4675f0d69687376e2a2ae73738115cedac4f929ec5d2d4268aa23e59484710cf7990c9b683772badaa92128ccf0f9f867eff04badab49ed34f8d75fa93f3f2e8

Download Submit
C:\Users\Admin\AppData\Local\TempKTFLQ.bat

Filesize
163B

MD5
df728b5b6b2b5193b5952fb10b124ac7

SHA1
225625b492f3d245a090a4013649113d4c4eabd7

SHA256
1c55ff777faea94237e17dd18cd2c127bfdf757c56db8ea268895255d4f4f72d

SHA512
8d0951fa70f20055672c4f2096c1df2fdd9fa040fdfbcbe99820137f929fd6b244fc87d88a2d538cb21de9a3215f46a29313e66b8ce0a6ec03e4e176dc804796

Download Submit
C:\Users\Admin\AppData\Local\TempKXFOF.bat

Filesize
163B

MD5
1f94e6053cdf94abc54a794686e7e430

SHA1
d572d395df1e90dd936521cf27aea25c793df321

SHA256
6f4442827250034c777d5ba31b7762c595da6dc0653987ba9b589a961358035c

SHA512
326d5cfa94b406d10867036c13e4f277fc63c5a9c560c4d847b0571c2000d59bf0819586f44e4d61923534edafa84fa0a0d267e5417173f4c924d0387abdace9

Download Submit
C:\Users\Admin\AppData\Local\TempKXFOF.bat

Filesize
163B

MD5
66dd5cd4e525be1896c38a1aa6d18d8f

SHA1
4239a9d221ab14e1444d94a9abb544027a5ada40

SHA256
660063f2a66177ce71e8722e8c353d4e91e9ed51d0e4d256abb8fe07d30e79fb

SHA512
719261228cddd722b55b7e8f27eac9a65943952d4251b2016f992f252df2eb835d83f63ab651171df84e266f7bf3247e7d05ea172b1a5077800ea68896130b23

Download Submit
C:\Users\Admin\AppData\Local\TempLHQHE.bat

Filesize
163B

MD5
f814f4259a2f98d4da28c79ed3a6bb4f

SHA1
b36d0e73e50229d7ad8821238034a6bd95cf482b

SHA256
eae0bace75f623e11d6b7ef774140e65632b6e3f4df9cb6f90138299c79aea68

SHA512
badd7876a8498ca1aa06c486d73d702210adc70aae2e996340a842443823ea76ac04c457d379d422ff2f451eb0ec2739fe13d4952b70a18dca85540a79cf7654

Download Submit
C:\Users\Admin\AppData\Local\TempLPQVB.bat

Filesize
163B

MD5
0b5902a513078dce612bdb0904f70d14

SHA1
96280bd49e5a5305afd1e9564f063b95218562e6

SHA256
e1a1bdbf6313d19210601de717b5f513cae9cf90ccfb50ba9e06b6627b20bae4

SHA512
76067c4641dd3e186b1cbf0f8c969fd58a38b5b72f444ba6c1be91e0b1d9d2dacaab831691e972d1fda45e9546469f6400ed3d2814d2435fb91b838e6ac6095f

Download Submit
C:\Users\Admin\AppData\Local\TempLUQDA.bat

Filesize
163B

MD5
0887f8a053b6634da227e398c394d81b

SHA1
7e302400941306dbb1fb3a489a23add27b1209d8

SHA256
2f72e4b614fd3ffa97fd87de3f00824cd240546d92b4b5516b558b17097a491c

SHA512
e5fd8516383823287089e860205c0da879e62c25160cfd7dc752c0e265fc60847c03aa72c49d2bd0ad1b71b9b3cedbc0be03a6b81d27410251356f5b4f801eb8

Download Submit
C:\Users\Admin\AppData\Local\TempMHMIU.bat

Filesize
163B

MD5
e78c6558292150544ae1ac937be8d1c6

SHA1
2a4a149494b155b97ba34f8d056c20088dd81f52

SHA256
f770fb21bbd29983bbfa39d6cb92263639976eae0269b0408f3dde1ea98ed31b

SHA512
09eb88d18e29432bb2474836965ef11993e916905d6a4091231342cec2927548f586aacb26c2c563dead17ac1872d75304393428ca116cbe5131bae336481aee

Download Submit
C:\Users\Admin\AppData\Local\TempMHQHF.bat

Filesize
163B

MD5
a5414e97da952d040b48e8c396fea4d0

SHA1
57fc81d07d933bc1abf80608360ee10ced574a07

SHA256
852fdba6e9e396ef093c00a2e8149dba075859fe89e552cdb9dfd8d0bbea15b5

SHA512
edef55b41c1c6b61812ff93816e3b3e5d9ce1ac49089ce0fff8ba7a5f41f6416f3a912930f10e8a8d57d0b119d9d284064ecac614f152ff5c9d12c3667e0fdf4

Download Submit
C:\Users\Admin\AppData\Local\TempMHQHF.bat

Filesize
163B

MD5
94feb1d592f93d0e067a85161601e956

SHA1
cf04d3753ae1babda07fdf71aa667a497aa5a490

SHA256
eedbc343819537785f5ef9600d0c365dccaa40c1eb47d925a9b764030da9e49c

SHA512
3682b5b4c9e2dddf4b6e2c5a61c6077778c00e2ed15331a5c5ebd9b93130eb87e776e1ae9aac8514a378339aa413f4c9567030f32626847d2eb14db5ddb8e0a4

Download Submit
C:\Users\Admin\AppData\Local\TempMJSEK.bat

Filesize
163B

MD5
6fc81aa1e3a1e5e8dd53d4cb8452bd0b

SHA1
94d9da9ddbcea370900167e7905c97ae368a0189

SHA256
20247ff7a0cbc6c205f7f6a8eb7a7f929a8544ee1492e5a49dd1854954250a92

SHA512
e593c96ed8c517de9d7e256ccdba7445c5ffd4bfa67db75d429e610c952c8a6adf66410c93c6aabff8c0ab079b863e39dadff4bb189567128b148bc3b5872ac7

Download Submit
C:\Users\Admin\AppData\Local\TempMNXTA.bat

Filesize
163B

MD5
b5f1dbdd61899b01889ca36394bfbcd0

SHA1
b7d45fdbf9502664c05df2c24fff6e7c9dfa8550

SHA256
e4dd63554ef451959bd56b71673a60f004decfcc5a7270cf39832964288cfc45

SHA512
8c8472ce9959299f4878a84ef0d667f0efd367fdb40e90da3e1f651cfadd0477a4bd0f906dff1ddf1b1a6b3207623bac0b4a9b6d48e81a6764a7200851158458

Download Submit
C:\Users\Admin\AppData\Local\TempMOXTA.bat

Filesize
163B

MD5
83f4afc3b16fd7d247a971a05c803161

SHA1
7a8d7166c6993a9be3627ad8118f630285bcdcfd

SHA256
7fd61ff1671ffd0935722b04ea652889f1c1623303b81da661434d871d13f748

SHA512
9488ccf85a22110b66f4245024d707f7a4dc8d8a331046daca0a5d6a41875963591479432fef6ecea88faeeb1374367df300fe6937a25df6d7863313e81294ff

Download Submit
C:\Users\Admin\AppData\Local\TempMQLTH.bat

Filesize
163B

MD5
132d99bd9fe3ff7634e8d036f664bb2c

SHA1
69afb8e482599e8b360fcc0aade71224f5a3c1d8

SHA256
4c53b53588f7047490fde9a58c2e44691d59744746ed638cb54739ff654f6bf0

SHA512
c8ab0cecfc18665b884d79c30763bc766f6c2b03c0f90a86e3e0e6ad5ba526891916a170fa72e23aea37ca640b8532990f30f3c6712d6ee1dd7e9e1bb9db2a2a

Download Submit
C:\Users\Admin\AppData\Local\TempNVJKK.bat

Filesize
163B

MD5
0edb0ab4b7c786e54ac8cfbb7b878f9d

SHA1
b144b49660a3628eb94992b6233b7b9fe43aaeb3

SHA256
f52e283de13d7e683da2c150123b2df687b96e691e0b2d5a2cde6eaa5a9afcf8

SHA512
3709e65974cfd5d8771fe17db1b7a868da8bf55c5dd9bfeef4f4a1bc95043d525bc9bd3fb137266c70b667c22dbfd73ddeb9d3c3c8442f3c0880747c6ffd667d

Download Submit
C:\Users\Admin\AppData\Local\TempOMQLT.bat

Filesize
163B

MD5
ef5edc187dd574db15bc13db15c29730

SHA1
f3b596b9657f17c374bf27f16fc9a6df8f4c44c9

SHA256
71487f836772b1b39fe00590cd2d3670db8827008d6032759d213851ae7848cf

SHA512
00077c646294c3abfd99c621bb844c02c9fb37f1dd17c740cb5258ed2f877cdd00d25f641ccb2c022182a79cc9013080024945a6c86dcb6e4dc114ca87708bde

Download Submit
C:\Users\Admin\AppData\Local\TempOMQLT.bat

Filesize
163B

MD5
82cb4b40ed42077a23212bbfd0a136b3

SHA1
7fa49d60ba4e86b77f8b60750b30a31a4cd80bdf

SHA256
bbbdc83c81c2079bfc594feb639561eb43e692c8ecd5d6e1dc551f6644053405

SHA512
a90b233c55dabd046e9085a8bdb654595b91316b160e05695839a871cef512e97e995f25e9bb2ea59fcb5afb1bb780cacbad87d8a5a1fd8bb142cb0d373ecc83

Download Submit
C:\Users\Admin\AppData\Local\TempOVLJN.bat

Filesize
163B

MD5
cf95fe0813601aad06d04cddf6099776

SHA1
9c65e8c1dd65d5b1879180b13a7147a336755ec2

SHA256
8f7145662cd11c3071ef83a03522248ac6418d9b33037d925a3a1ce91943ae8a

SHA512
9d45b45413e5f9113ede89a5fe5e319201d331e6fa4aab68531e4d8232843e2279e61574257ebb62037ffb2f3c1d3fdb1908e78ee1a0c2c9e6ba05fe16a81d27

Download Submit
C:\Users\Admin\AppData\Local\TempOVLJN.bat

Filesize
163B

MD5
1ff4c30c91199d7c6bbd6c15e820871b

SHA1
f548818aa755bdaab14cc1298ba989d7b99a54a5

SHA256
89b9e55fdd59f52629ed8d9fc7606ba937ee42e42c707697055faa06f1a096bf

SHA512
dff6aa45e6c774f429e933ad7309e4b79671a728b2ae20f5589ce7e2b57b2ebf690ad350e53dfa9933b85e590cbda9280ae763650bd42cc9277d19794f30c53e

Download Submit
C:\Users\Admin\AppData\Local\TempOXTSH.bat

Filesize
163B

MD5
faa45542b86fea9d705ea4ae17f7f636

SHA1
ed380cbb4d2da797ab3a9552818eea4abebbc423

SHA256
5c01c2818f60e7b17dbcf97592cff2f0f2ee590af28656d37b01ab556fcdae4e

SHA512
c97eb6ef400ce4a374b809fbee2df870da3d8475dc75cfc84f6f6ba9dd06d68b9f2fedb77c06fba34e25192c5609c790c334b817df02807ef175430e6ed084ea

Download Submit
C:\Users\Admin\AppData\Local\TempPPYAT.bat

Filesize
163B

MD5
378e718c30b3e3fb504ce13cb1f35687

SHA1
73bc59262a9549dcf3be9f876a0f44d876e575bc

SHA256
09d897e6b99fd1d92f294d7319aeca5659a349a9dee38d35d1994f0615ecaa2e

SHA512
f075a505ab060fefb62e759af93116535f99c5034a5405dd98a0438b04654643b268111feb1d782497c3ce5bb5504cbe1602c7f0f915c9210a6c08cfe5c449eb

Download Submit
C:\Users\Admin\AppData\Local\TempPTTNF.bat

Filesize
163B

MD5
080bb506648af31351f560a2bed3279e

SHA1
9fea8096523bd56dc55b55978a373ccf5804f676

SHA256
828b3afe731d0bf306e3fc4a599dbfda40d4fcc52f7730e4c868f5f47f9b473a

SHA512
d2a84541955924d09d12818db0bbb8eed2c1f9c7a6772475c7472572d4a0fc77bab1ee4b0ce78a4b2129319c9aad09105391e9e9a74d6f129325514331a044e4

Download Submit
C:\Users\Admin\AppData\Local\TempPWMKO.bat

Filesize
163B

MD5
dda85f8b0d58ae1c32bfb3a623293ee1

SHA1
5290027dda62b16265d2cacc70fc8dced232ded5

SHA256
3a56eeaa48064e930e0a457a374cc3c44df9445ab8c0ce37a43a6848ee18339a

SHA512
055f9e8eb1ae0295896234448df3b0d79ea3e6a40a227a1b2fb5dcbf1b974d8d78c7bf4e0cf9d942c9bd76c6248e34d2a8ae4e3b6ea70ce8b1c621c18d177dcf

Download Submit
C:\Users\Admin\AppData\Local\TempRCVVK.bat

Filesize
163B

MD5
aed2566b34c5a80a2c6349bb95d5f09c

SHA1
92ec497b21505affc5800d9969c73a47f88527af

SHA256
6005f8e5baf7daafdf52ae2d66471f496046fd49707fc687ad291792983934e6

SHA512
36fbf0c891d9f646a01a5df607fe1ef0e81a798d0beb15df352955e342712649aefdb4e17731faef3ece678354a54d523a6956ccd5d728ad49d012ab230e0b29

Download Submit
C:\Users\Admin\AppData\Local\TempRSXDE.bat

Filesize
163B

MD5
5ee2dcdf707f3358fd165faf4f5bb8d3

SHA1
44f23abf92a6e5d40ec77a6a1ef55d0434264653

SHA256
cc43868528bc2262f64776caa400f4b756b4fb39c288fa8fe8088a18f0a2e36d

SHA512
646ea55b4cd90b5673f3b1a865b87df1555876fc0de7f446b8ff10d11b8b85eff789c3562bf13f155d8e6799602f796350456eb54f8e45750ffed7a18708a97b

Download Submit
C:\Users\Admin\AppData\Local\TempRSXEF.bat

Filesize
163B

MD5
6105bc3fde7a124cc0a2e4eb5f967c79

SHA1
b5900e1556d52d25834d95c70e2ac296d8acca35

SHA256
6f08d75ad76e65100ba4a6468801ff08a2e8a6749d0190815c28c7d2afffe241

SHA512
82853c4505ff4e3e0662900cdcc24f69874e00ca03b4c184887ac772e024cc84dc9ab33f660be75edc8eb1816f1141fe0fb33ca2f962c534ecc7b4f388685cc4

Download Submit
C:\Users\Admin\AppData\Local\TempRVQYM.bat

Filesize
163B

MD5
623a7c564593ca326ee58d3afc6145de

SHA1
8af04c903a70d779324ace44b5f5fee2e01ef862

SHA256
e6059dadd978802104337b48e9e48ac2480deb49e419a15c62a1e69f067efea9

SHA512
1217d5229064d7ada011861b4adbeb86773e1d808b554e526fae76ef2a9609c9edb62c3cd5ef4555e4ace6b4c041958926c3300da29ab75ca70085a5313072ab

Download Submit
C:\Users\Admin\AppData\Local\TempSFCRR.bat

Filesize
163B

MD5
e755eb78b7a5ca61cdc3e5350b64a6b9

SHA1
50a2afd42012fa29297f63e034860bb47d2138d9

SHA256
46441299c21e34b430896839dcfc0123725a77aa587c37edbe39469bd3515a51

SHA512
7f314d5f6a9dcdd72b6547c87ef656db3ff30d65aca246768e38881d4db168635817a11dc48689e7855eef105a2f4a46df76cfc003559bfea6241a227398428c

Download Submit
C:\Users\Admin\AppData\Local\TempSRDMD.bat

Filesize
163B

MD5
6132939441b1616270d9a490f2fc4509

SHA1
cad27a03670e4f4fc35483729e745377898e5a3d

SHA256
6e0239409b3beb551fc857ec95609dbd1830aef27b258e50b9dc6a389e16a392

SHA512
94344c198cc6f96895693913bffb9df4b0c3d7f600dd1f10ae5139699780d124c6c8783203c46216eb8a3fae9d2adc6770dda7d1425af606afde5bba793076d4

Download Submit
C:\Users\Admin\AppData\Local\TempTBPOA.bat

Filesize
163B

MD5
680e2e9cc13cbe1b58ee8b3fd71964c6

SHA1
0ffe1b8f9425517ea5ef01e2d12bbae60b37ce43

SHA256
bb4aa12fcf304f4ea13c9a7e9a5d9ca7943075065d4cb8166f5b8b513cb9e50a

SHA512
868c3e3b264d0c6888f01a7ca811f84391fe9ad67c4393b15d87769b9f216830dd6c1c24c8bef9413d10918e5e880c53660f26504644d7affbb2e7fcdc7ae492

Download Submit
C:\Users\Admin\AppData\Local\TempTDOTD.bat

Filesize
163B

MD5
b7a0a6cd6afbade1294a17608d0e8a23

SHA1
aba0c1886d38ed73bcbfc0e0d33cc8d793315d75

SHA256
d84bc63c411cff2baffcb2ff76908d39dabde7548a2c620cc1c43bd00bdb093e

SHA512
985702bc8a9c298f41d752de856ec6de57d267a341ee59c76308a10e0b8c76298d7cbc9bce9d33cf5ce4f09cf0c7e4a3b07ea987d26c5b9fd3ab1add9657678a

Download Submit
C:\Users\Admin\AppData\Local\TempUGANW.bat

Filesize
163B

MD5
fe5d4ee7b49b20431a910d565c5f9b9c

SHA1
d73a6dd3a7d59b7fef87d81cb2f048dbf92535f3

SHA256
52e8d88a6ffda3384fbfe8cd9e9b3a5a93548d14473452b6fe88443ea3c04736

SHA512
f41eb2dbbd558429f606bc59d02f205933bf54f5a2453d880dd1a12819fc91f55c47bea6bcdf81dccee60f5cf79294bfc82b8b58a727e8006b7e75737a4ae99a

Download Submit
C:\Users\Admin\AppData\Local\TempUPYPE.bat

Filesize
163B

MD5
6ad063a0efd3c87f4c438a1827652b06

SHA1
4d67aeb3190618090823f912e0058a818dca278f

SHA256
7d001c530fab699b19b39cd34cb64517edc57d6a17dba96304e801e0bad23caf

SHA512
27b958fabde1f39ceeb89b1eb801109232d8a55ee0a751f6def3a5a07e5cfdb3144d18c004aa2f3f1cda371a503185d24451cc655f411941fd88a7f3e8e2307f

Download Submit
C:\Users\Admin\AppData\Local\TempVCTMR.bat

Filesize
163B

MD5
b991a8ccd705921214fc32460ddbc7c2

SHA1
77d9555008b26c62c0da080c36566240ac4d828b

SHA256
cdc4c8d478ea0dc3d74953fb4273a3d78ce9bf8271407e0a2a6a833a5b871db9

SHA512
10127aa4029497b15b455199bf55646eb8656b509dc6d8f990834bb5d5587bcb99b9d2ef43f9e142e06798b72c02b3a864afe402d34bec695841bf5cff83aedc

Download Submit
C:\Users\Admin\AppData\Local\TempVGFJX.bat

Filesize
163B

MD5
3fc18e073107ff6e274c754eb35843c6

SHA1
82918a069a2f830a67a1ad45b309d08648ed9bf3

SHA256
d40713b9e4d51b9fe44e985c3b3f7d84a13f6ca0a5e5fec85d5565202dcb813f

SHA512
9fc17c4e649f2d53edc5b7137379b55b0dd0d034f4e94f3e7c42fc3e3c9624b643e2ed69684adec4b09c6e5f8c6d6fd4f03a79d9bd37c33b64e46c09e67c161b

Download Submit
C:\Users\Admin\AppData\Local\TempVHFJE.bat

Filesize
163B

MD5
28fe07dfcec0e540f74d062a85544129

SHA1
c4391211562d65b510d480337498a0e07c8b8ee0

SHA256
53d19840efa9f0829edbaabb532a5a11382ee810cd48a2f6b7daae3e750228ac

SHA512
9ae5a194936ba7ebf3b6894639b34e4d2405a87b2026a82dfb73112471c1e3328dfd898ac9688fc4d08248b2d4af87d83db75a85eb9eaa81ce1fc22af8c25ba2

Download Submit
C:\Users\Admin\AppData\Local\TempVHFJE.bat

Filesize
163B

MD5
b27276983c118e15839b76dc75c9dc28

SHA1
d728189a4f0cb8d008e28313340918768a6d8550

SHA256
52dc9e048ca29a43a5404b9a3172d2be99420587b8505f17208854938716471f

SHA512
a3808f557c92260717a993f0be4e46e03ba562c63bd013137bba6037cebf0e62814ba8cdd00dad5797dff5b27c51d24d10bc3fa0854b4361bc4e84b90b8233c4

Download Submit
C:\Users\Admin\AppData\Local\TempVIPKP.bat

Filesize
163B

MD5
38a0438664242a76bc5b0f19aa13feed

SHA1
2c09c1f997896e7ecd2de9aa041e20bffb6451d7

SHA256
a6ad7c81b2a05e615b8fa8dd7af7422708300bf364d4b7df4ad833d7bb7fcb8e

SHA512
7f81a4b9904a7f01dbb0bf2fef9a5db42277b51ff22a7011a8fe2211defeb518993b146388b0730bc9d0b7a98087a60522edee09c6254b421e5fb76df5f7e4f4

Download Submit
C:\Users\Admin\AppData\Local\TempVLXIH.bat

Filesize
163B

MD5
95e7cbd9f0857e740eb2751d73327176

SHA1
9d2955be571ef189f25b04d8a33b47a18b7d36e1

SHA256
1bfba4b36f75b9b97232d5cf942bd5f9ca6ef8c492c01caa55af1945b3046548

SHA512
8a091850e2f7bd5e46cfa9e27ad0be09382d44887b2021d3e91d1566d841793b50cb63aeb90fd4e612ada1fb18ba3807420455e10e995fde1f8c424dde3bae6a

Download Submit
C:\Users\Admin\AppData\Local\TempWFFOK.bat

Filesize
163B

MD5
136995d08bf8029fc152609efd5f78ae

SHA1
feba98078b608e7ff79f620f89318e514567dfc6

SHA256
76f998ad80d22315dd921335516d42f5f7a9c66ecfed0303519e1d4e362d10a4

SHA512
f0e2c72f7196b84d31055efda93bf74c22847a8573361da37a2378d4924615f3bb6478b29c8d8ac9a5dad2a24152fb70a30444bba9770122b68c976ac96ec66a

Download Submit
C:\Users\Admin\AppData\Local\TempWVHPH.bat

Filesize
163B

MD5
e7ad6fe950fdbe1fd664bbddf1ff9e8f

SHA1
17e9776bc20fb62d60ba0142d30953f85d013deb

SHA256
0895f3131aa8f8f960ca43049414550506644b04309c5bf0261873214c8b3480

SHA512
ffc415ec40bcb04f8cf247cab71fd7f88792d0f725cbdf2426714d691eba8a72dd539e8001640e1f8aff2dcefeee14a3f1fdc67653fe38492a224020900f5149

Download Submit
C:\Users\Admin\AppData\Local\TempXCUUQ.bat

Filesize
163B

MD5
10ef7664e53a773abafeea04ace74ee6

SHA1
06626c1e0f7a16d3b5bf806d99c90a069af7ec32

SHA256
b043858bb83a29c17c104f696c5afb73ce4b6db7b11876e09bbc63d86eeda8f8

SHA512
8822656bedd7a178046df4f030369c5242c42b4cbb36c1e91692f4cd6d85cbd488982d5376c46b03dcd7674ca13c2c54e00e9393a04dcb10e4e222fa80c6462c

Download Submit
C:\Users\Admin\AppData\Local\TempXDVUQ.bat

Filesize
163B

MD5
c98eaecdb892f9d1209fd060738ddf2b

SHA1
7dbdf16ab89bf6441dc2a846d2d4cbb823072c59

SHA256
a052a3fb462a82bf566b09423cf64322ecc576e5327deb0ff377e7b55e496641

SHA512
7def5edb138a51438f1d81c919c81c5f970878386b699b60d0e947668ebd4c9e36637f976f5477bc22fd7a07f74a9459b632b0d943aea9ef447a5c361e4868e7

Download Submit
C:\Users\Admin\AppData\Local\TempXDVUQ.bat

Filesize
163B

MD5
ba84db195f7d472229e4051ea0002f24

SHA1
d4d7b780d5273d1ec9c7fcdd6bef49c2696b6619

SHA256
91347d6d3afdbd3df151cdb3f91f2aaecfa09cd10ec6939ed211121d84b06dd7

SHA512
a05bffc253cc8028a9865c41670890a9cd966f5dea22c035d2cc991eb8fd573b924540b65de414f1867e3a9bed490eb09af16f3aab2fecd94563a03252788984

Download Submit
C:\Users\Admin\AppData\Local\TempXMIQI.bat

Filesize
163B

MD5
23b334148f422c981734c5e6931abd32

SHA1
73309ce790362c60b09e6846bfedc5fa0fb97007

SHA256
eed120a8c0e01c0cc8dc5b653e163e164398ad91e1ceac1413ee081c23539d1f

SHA512
6086a33d99e2b73b1d03e52641651f6cfb4910e40d3b50e31dc3e4acd123ea5dd85f6e6cfdcac965adf08dbb32cc7af70e8fcfeb1f346b4a664de3cb71f23619

Download Submit
C:\Users\Admin\AppData\Local\TempXSSHQ.bat

Filesize
163B

MD5
59d30af5fbbc430790d2e323ea7bf1c9

SHA1
30f9548b1eae0e2133007f9e0f25eaf450b3ad8c

SHA256
ae21b6a444af4fdbba733bb48a1eee2f2347464aeacaf3f39c71db271a787d50

SHA512
8de5add873b5807e08b0235cd54b47abdcdabf5d43eefbeb4236428e5796ca50246d22eb439c5231b5d800783a4493bd994f7cc4dc2bdccc7ee2c829622db797

Download Submit
C:\Users\Admin\AppData\Local\TempYAHHQ.bat

Filesize
163B

MD5
559765df6500051fcb7b05a531784948

SHA1
a352c5b0ae4650404989944559c6aac131744d3b

SHA256
7218951015fbfda41d6abd84c116eaf053514c2ada6978fc0e50f17fe2ed8179

SHA512
4b5cd8bc9a3792d6a216d5dc71d18177f325038bf513b6415be74f9dcafd5707aa46e276c7b682bfacb74681cbbba554f02ec84289699a410aae25937acb1c01

Download Submit
C:\Users\Admin\AppData\Local\TempYGPGE.bat

Filesize
163B

MD5
7c500fd4d50609ced78333eaadda4777

SHA1
c046358ef816e600b74df1374e95af65dea29151

SHA256
2029b94c19e1fe1c8a0c7a304fa81fae5e06aba193c8a988865ebcaa73c9e66b

SHA512
7f38a4cc15279a695c03ea459ed81ddabebe6e7f88372d6d778df10e68a84a23522c30aacfb6a3d3ec3203212d396814c1549a7e397d11ce66056975ea582b2e

Download Submit
C:\Users\Admin\AppData\Local\TempYRXJF.bat

Filesize
163B

MD5
543956dc3eecb49c9f888994a4a7af46

SHA1
25e6312d9c33fa347206ab3d1c4353b0e3485149

SHA256
f70fa55b8bbb1616becac973a221ab9150897a6e17704fc806db6f4339533381

SHA512
1b71ded3ffd4bad2985799874de87dcb01492387597cfe0b418497c1a0cfd1b16a81880cd357ca2aaa55cda5d63deaf378e56fac3bbd5f76ce8af124c2d1ca5a

Download Submit
C:\Users\Admin\AppData\Local\TempYVBTX.bat

Filesize
163B

MD5
8d838174ee8ed3220ee3100477da63b9

SHA1
2cc94e920b38437218cc484daf44a3a0cb3a00db

SHA256
e66207d4093fd122c4413c37f7591fcb16b877ac283757947547a7f0a1a0a398

SHA512
e6374bec6072403fe490e4770fdd106182fd3941a2689e63c7d7e2cda67125303d7b133235b8990e458b63c55deb6726bacbea8948714592183321bfc8b0eb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSEKP\service.exe

Filesize
520KB

MD5
a7169f2c113f464a7ecfc9d96396f136

SHA1
5d638fc7142648a6525ccb88f6b3e9cacab07390

SHA256
509cf431ff20336e69600f276029661f1534fbc565d902c3d0de83ac6603eb67

SHA512
07b93d94cf39150f9fec028b736df3b24cd590460933721d32eabe33c2e8d9433e9c0f38ee5e3c3207e29b51ac8961167480124dcf1593f8a6fa43992dd2f4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe

Filesize
520KB

MD5
e3b4eec9659a97922eb19ea1ad621eda

SHA1
46377f3bc33a4f99e0b93110ec0a5813b9b7d464

SHA256
b3315a443375fdcf6254d27ebd6baa69ffaea014fa3779c5c498462e40b456cb

SHA512
9279cbb5a9e052affc7496824de8ccbb631496451bb0047d4b31a7f5b3773eec8abd3b91475bc02c1c9fcfc3767663490d00a0c306e55e40bf53ed2f402ae772

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe

Filesize
520KB

MD5
fac76ed26d581f7104d237fb2b60143e

SHA1
068fb56823755e96cc90f5d58a997e893690b18e

SHA256
6ee6f71b100c0354a0fd7ad733277a3d17fcb734a8a26f477ffa59b59f083fc6

SHA512
8315fc10351f0747559f9d24c0fd64980015eb2d856e29fcab12b8734b32ff8e07113be22b1e0698b0a9d189b6d53869ed2d2ec0fea782f7f2c488f564a6a1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAQHRNICCRSPYKQ\service.exe

Filesize
520KB

MD5
9970aad1c89e3b99145d8b81e6ef2ee5

SHA1
07538be1b200619cee2b8d36a68716915e31a73c

SHA256
6272c6088866b37ce715a90e2847ccf19cbdad53b743d45239edcb2663e1ef19

SHA512
ef0bc40d8d0e60f6acb9905b40a02a2559a4978cb41115bb0d7e89f4a301239e352ab58f40ab1f7f0499ea37af801debf788f932442f1ee87fc59c77f3162cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQKDIPYBBPUMUIS\service.exe

Filesize
520KB

MD5
73f9d62fa8791483ab3c759add48f007

SHA1
f3c72ac26e799994a5bf029ac408533830e55b66

SHA256
bdcf31e62e9651b51ba39cca9da8f73d8c0cff41ce52de53d90262a50367e9e8

SHA512
0d41023fa0765d44d12f2e622a687c703b6f11f36027bec364abd7c9c3f42fb7c64e98f3cf229861e275dad12bb883703fbe07f3cbf78c88620d8f76756c9a9e

Download Submit
\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe

Filesize
520KB

MD5
177e4e2bb4a7a3406b101f037aca5e78

SHA1
f9a95a9ebf1734a4218f84421eb04e836c4ce7d7

SHA256
6adfdb4dea0d79fec8ea0ff7027818ff3f4c36e517eae6a30501c0ef993b769f

SHA512
3a394a6d09a18024a83fa6d0ed81635992a42cf3f9060e8043861e7f9a40e33bebf471b4a318e9ef88f844d38cd64d351f21b98175bae4811c666a085a7d0c82

Download Submit
\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe

Filesize
520KB

MD5
fcabb82ea70531351388ea29a056c3d3

SHA1
64e2ba2e47e1dca6b9a4efa3790751bbb31aa769

SHA256
33f631c00e0f69b065231087bfda2c058325a73eb4f93cc4ddc48807d4b6c296

SHA512
070b587f2ed09012a67a74dcbe69c2992bb9107092bbea0431a6da830a70f84658a2e82cb4a8e8f60144faa387645260599d8184a3e772e67ff22373393b2455

Download Submit
\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe

Filesize
520KB

MD5
b2e542c7cdaae561dfd9c48a4d502dcb

SHA1
e7d1cf86801d88e05a93234efcf61416c03d93e3

SHA256
6af65c1653c3cb7cac90c89fe720fe61deec1ac5a6ecd13a332fea0ed0fadaed

SHA512
f186c99fdc490c3fafc288c945bd8d493001a578a4b79d898e05337c8a0a22c2719d36eb861f0017a5f94707370d66523f26150c2fb39fcc0a8abba0fc283d0e

Download Submit
\Users\Admin\AppData\Local\Temp\SKJRFFGBAGCXSFM\service.exe

Filesize
520KB

MD5
56227295293efb247de0ee0fd01475ec

SHA1
a738aa9c52bfe7bf64ac25f6672607fce296bd52

SHA256
98d2e59054926ec85ebd662103c6704b7875634f518a753c38d46226bfb007c3

SHA512
3416a8811ac74efc991c89ee6019f8c7ed60fa1459b0ae214d31a761da2e1b7c30d5c9be65fc3636b320d3c7c4f022151b776d29745ae137d7a55adf9c0d6803

Download Submit
\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe

Filesize
520KB

MD5
c7e52b5a9047d53fc83e087fb2785981

SHA1
7e63db350867096710b33ae485f1acd1c31a1a03

SHA256
38f3ecfcaa7fe86b2b14c492ff9dc078e45ae8acbca3619eee1d96fa4e62b960

SHA512
2324c51cac3f32da98f6890652c65aa754135eb02a7beb305bd37d2047239af213eb29fac2db472cdae4cd26137c45809358ee9f1ea2f247d45be44cdf5bb765

Download Submit
\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe

Filesize
520KB

MD5
b7273b69f7ad93727cb6cc83b99a9939

SHA1
66fb453b0d9e12dd6a69e0726b3d9dc82abb996a

SHA256
c7e4041a11b44c9fa9cf23444bc031bff3912d0ed96197c641b92c45241007fa

SHA512
123e959982976e6f9f62e3c0bd93db04a93bc8cf047fdc5d0aa7114a7a78b4698646a3d4dc3899332a479fb94a69c5593d46461065c041ffdd50d8cc262ee132

Download Submit
\Users\Admin\AppData\Local\Temp\WDVFRRSNMSOERYI\service.exe

Filesize
520KB

MD5
8a414e127734c2d6c23e6fe1e2fceee6

SHA1
4fdf3d54a0835a5ad7a278b31313a618d4633a85

SHA256
06a6ab4f5187aa6fa4bd737fb3ecdcc15f8a749ed89ffd2443524663da91311b

SHA512
c596234d9546331c3292104550c266d5aa9c2d7b973d3234971bb93e2402d99891608777a0404c909b1e592bc601b39cabe4bd9cc409bf5b79d0de4c85e92aee

Download Submit
\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe

Filesize
520KB

MD5
10388577be73b84b98a52598f5e3d30d

SHA1
ad3955664d8bdade8757b79bb7c25c82e5121304

SHA256
0f32af2cc445a528f2b37dad92e0e059779cb06ce0ed2e67025b111e15075f38

SHA512
3de3d98f9e4903f6b2788c7e3f14c5ebb66ad2bf0a1e5676dd2550b95eb8f47e9d99725506795405f3cc5e2e1e4a8412ec86e2d69d150cce905be16b1f4f4246

Download Submit
memory/1280-1777-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1280-1782-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1280-1783-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1280-1785-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1280-1786-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads