blackshades | 75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe
Size

520KB
MD5

667516e24eecd896dd4283cbe83980e8
SHA1

9dbe2a7f1c0673095a529d6719158a27a86613cf
SHA256

75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1
SHA512

03acba91f185699c811789b806f5dcf4e1b070a77eab463c2affc431740507d502201dbb11ddcd58691d876dca47ecc32ba085277334da849be7c525e97d35e8
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioX9:zW6ncoyqOp6IsTl/mX9

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 5 IoCs

resource	yara_rule
behavioral2/memory/2904-1650-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2904-1651-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2904-1656-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2904-1657-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2904-1659-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPEDEEAVQDLF\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 64 IoCs

pid	Process
2156	service.exe
2644	service.exe
2256	service.exe
1148	service.exe
4060	service.exe
3300	service.exe
868	service.exe
4604	service.exe
2600	service.exe
2124	service.exe
1392	service.exe
2852	service.exe
2144	service.exe
2784	service.exe
1916	service.exe
3596	service.exe
1204	service.exe
1456	service.exe
860	service.exe
2708	service.exe
2584	service.exe
3832	service.exe
1476	service.exe
4876	service.exe
1856	service.exe
2660	service.exe
1252	service.exe
4260	service.exe
3268	service.exe
1084	service.exe
3400	service.exe
1752	service.exe
392	service.exe
2092	service.exe
2852	service.exe
4316	service.exe
1268	service.exe
1488	service.exe
3660	service.exe
2412	service.exe
4708	service.exe
8	service.exe
1128	service.exe
4864	service.exe
3676	service.exe
1488	service.exe
4436	service.exe
1792	service.exe
2496	service.exe
1392	service.exe
4480	service.exe
3996	service.exe
4328	service.exe
3172	service.exe
3404	service.exe
5056	service.exe
4016	service.exe
1796	service.exe
4528	service.exe
3024	service.exe
4072	service.exe
4424	service.exe
3152	service.exe
3668	service.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PDEYAVPDKFKXGSY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIETXJKHPCINAD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MIIURPTOVKLDKLT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFFGBGCXSFMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NDRMKPCPRMFIKTP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJASJGBUYKLIRDJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DRRFGBCXSFMHMIU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPIOVGHAUBROYOK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQCKCULICSMNWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHGIYVVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIXWKLHFHXKSBMR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNDVTCWLCHQHFQO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IHLYCMSKBACESAO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCSBJTPKEETURAB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNSDBFAITVQORGU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLRIQEPFB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HWXUDEPVMKOJRFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NFVEMAABWBSNAIC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YEWVRSFLSSDXWLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWMNKTFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QVCDAIBGUUIJECF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXCEUQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RDLDVMJDTNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJWWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NSOCPAXDVUQREJR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPXLLMHFMIYLSC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LAUQLUGVBFVWTCN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWNXQORCHMLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SECGBJUWRPRHVCL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGYPMGBBQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TQEQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RRBYNMNJHOJMUDO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EXVEEXNIRIGRPOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GTPSWUXIMSFCRQE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSXJGKFNCDVTCDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLEKRCDQWNVKUKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YOKJWDNWUEBLFGW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIWDMDX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FESIVRPAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLDJQBCPVNUJTJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBUSBBUK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCSSQYKR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVTRVJMIGXVLLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQGMEUMAK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CRREGBBWRFMHLIT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPINUGGAUBRNYOK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JXGGSYOMQLTHJBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIXHPDCEYEUPDKF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AXLXIHLYCMSKBAD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVUWRPWRHVDLCX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IYWFFQXNLPKSGIY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCBDXDTOCJD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\REMDVNJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDSXQGQKILXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NBEPRMKNCQXGSWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIARJFAUYKLIQCJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIASJGBQKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWTTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSJITQPTGKGEUSJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRGFGCAHCXSFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXGHSYPNRMUIJCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPEDEEAVQDLF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IMJJURPTOWKMELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHCXSGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QVRFSDCGYXTUHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASDPOPLJQLBOWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQVCDAJBGUUIJEC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYAGOF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLPKSHIYAHIQMVM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBWYMQVCDAIB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WKWHGKXBLRYYJAA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUAQLGBFVW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PBJASKGBRKLUXKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DVOTMCMGEHXTUCP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YKTKUQLUFVAFUVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNNOJHOKNUEPU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BPFTOMRERTOHKMV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGNR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RISOJSETDTTRALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MHWUKUOMPAFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WDMWUEALEYFVOST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVCSOPLK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBYUSBBU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCRSPYKQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWKKLGFLHXKRB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWKKLGELHXKRB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LQMANYVBTXSOPCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMHXLSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FEOMLPCGCAQWOFE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBYUSBUKXAFO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBCIAFUTHIDCEUH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASKQXJJCWBDUQQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIWVHQHQNIXRCSC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELHWKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCQMKYPBORMFIJS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYJKIQCIN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FERHVRPTGTVAQJN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDIPBBPUMUITJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPBJBSKGBRKLVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMCNGEHXTUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SJSPKTEUETURAMS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GHENFKYAYMNIGJM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNDOHFIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SWTHTEDHYUWIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQPRMKRMCQXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDCFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIVDMDX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AOKHYWMMOJCGHQM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRVHIFOAGLB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BNTYKIMHODEWVDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDTCKUQLFAFUVSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OQLJMBPWFRVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIETXJKHPBIMAD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACFQSNLNDRYHSXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCULICWMNKTFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLFPYWGDNHIYRUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YARKQXIJCWBDTQQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NJKVSQUPXLMFMMV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJIKFDKFVJQL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FKYAYLNIGJYMTCO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPFXVEYNDJARIHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NOKIKANVEPUERCB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRWHIFOAGLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLGPYWHDOHIYRUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASKQXIJCWBDUQQ\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4116 set thread context of 2904	4116	service.exe	377

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4336	reg.exe
2968	reg.exe
464	reg.exe
3596	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2904	service.exe
Token: SeCreateTokenPrivilege	2904	service.exe
Token: SeAssignPrimaryTokenPrivilege	2904	service.exe
Token: SeLockMemoryPrivilege	2904	service.exe
Token: SeIncreaseQuotaPrivilege	2904	service.exe
Token: SeMachineAccountPrivilege	2904	service.exe
Token: SeTcbPrivilege	2904	service.exe
Token: SeSecurityPrivilege	2904	service.exe
Token: SeTakeOwnershipPrivilege	2904	service.exe
Token: SeLoadDriverPrivilege	2904	service.exe
Token: SeSystemProfilePrivilege	2904	service.exe
Token: SeSystemtimePrivilege	2904	service.exe
Token: SeProfSingleProcessPrivilege	2904	service.exe
Token: SeIncBasePriorityPrivilege	2904	service.exe
Token: SeCreatePagefilePrivilege	2904	service.exe
Token: SeCreatePermanentPrivilege	2904	service.exe
Token: SeBackupPrivilege	2904	service.exe
Token: SeRestorePrivilege	2904	service.exe
Token: SeShutdownPrivilege	2904	service.exe
Token: SeDebugPrivilege	2904	service.exe
Token: SeAuditPrivilege	2904	service.exe
Token: SeSystemEnvironmentPrivilege	2904	service.exe
Token: SeChangeNotifyPrivilege	2904	service.exe
Token: SeRemoteShutdownPrivilege	2904	service.exe
Token: SeUndockPrivilege	2904	service.exe
Token: SeSyncAgentPrivilege	2904	service.exe
Token: SeEnableDelegationPrivilege	2904	service.exe
Token: SeManageVolumePrivilege	2904	service.exe
Token: SeImpersonatePrivilege	2904	service.exe
Token: SeCreateGlobalPrivilege	2904	service.exe
Token: 31	2904	service.exe
Token: 32	2904	service.exe
Token: 33	2904	service.exe
Token: 34	2904	service.exe
Token: 35	2904	service.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4872	75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe
2156	service.exe
2644	service.exe
2256	service.exe
1148	service.exe
4060	service.exe
3300	service.exe
868	service.exe
4604	service.exe
2600	service.exe
2124	service.exe
1392	service.exe
2852	service.exe
2144	service.exe
2784	service.exe
1916	service.exe
3596	service.exe
1204	service.exe
1456	service.exe
860	service.exe
2708	service.exe
2584	service.exe
3832	service.exe
1476	service.exe
4876	service.exe
1856	service.exe
2660	service.exe
1252	service.exe
4260	service.exe
3268	service.exe
1084	service.exe
3400	service.exe
1752	service.exe
392	service.exe
2092	service.exe
2852	service.exe
4316	service.exe
1268	service.exe
1488	service.exe
3660	service.exe
2412	service.exe
4708	service.exe
8	service.exe
1128	service.exe
4864	service.exe
3676	service.exe
1488	service.exe
4260	service.exe
1792	service.exe
2496	service.exe
1392	service.exe
4480	service.exe
3996	service.exe
4328	service.exe
3172	service.exe
3404	service.exe
5056	service.exe
4016	service.exe
1796	service.exe
4528	service.exe
3024	service.exe
4072	service.exe
4424	service.exe
3152	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 4232	4872	75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe	88
PID 4872 wrote to memory of 4232	4872	75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe	88
PID 4872 wrote to memory of 4232	4872	75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe	88
PID 4232 wrote to memory of 3192	4232	cmd.exe	90
PID 4232 wrote to memory of 3192	4232	cmd.exe	90
PID 4232 wrote to memory of 3192	4232	cmd.exe	90
PID 4872 wrote to memory of 2156	4872	75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe	92
PID 4872 wrote to memory of 2156	4872	75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe	92
PID 4872 wrote to memory of 2156	4872	75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe	92
PID 2156 wrote to memory of 4772	2156	service.exe	93
PID 2156 wrote to memory of 4772	2156	service.exe	93
PID 2156 wrote to memory of 4772	2156	service.exe	93
PID 4772 wrote to memory of 2532	4772	cmd.exe	95
PID 4772 wrote to memory of 2532	4772	cmd.exe	95
PID 4772 wrote to memory of 2532	4772	cmd.exe	95
PID 2156 wrote to memory of 2644	2156	service.exe	96
PID 2156 wrote to memory of 2644	2156	service.exe	96
PID 2156 wrote to memory of 2644	2156	service.exe	96
PID 2644 wrote to memory of 2408	2644	service.exe	99
PID 2644 wrote to memory of 2408	2644	service.exe	99
PID 2644 wrote to memory of 2408	2644	service.exe	99
PID 2408 wrote to memory of 752	2408	cmd.exe	101
PID 2408 wrote to memory of 752	2408	cmd.exe	101
PID 2408 wrote to memory of 752	2408	cmd.exe	101
PID 2644 wrote to memory of 2256	2644	service.exe	104
PID 2644 wrote to memory of 2256	2644	service.exe	104
PID 2644 wrote to memory of 2256	2644	service.exe	104
PID 2256 wrote to memory of 4236	2256	service.exe	105
PID 2256 wrote to memory of 4236	2256	service.exe	105
PID 2256 wrote to memory of 4236	2256	service.exe	105
PID 4236 wrote to memory of 4344	4236	cmd.exe	107
PID 4236 wrote to memory of 4344	4236	cmd.exe	107
PID 4236 wrote to memory of 4344	4236	cmd.exe	107
PID 2256 wrote to memory of 1148	2256	service.exe	108
PID 2256 wrote to memory of 1148	2256	service.exe	108
PID 2256 wrote to memory of 1148	2256	service.exe	108
PID 1148 wrote to memory of 64	1148	service.exe	110
PID 1148 wrote to memory of 64	1148	service.exe	110
PID 1148 wrote to memory of 64	1148	service.exe	110
PID 64 wrote to memory of 3672	64	cmd.exe	112
PID 64 wrote to memory of 3672	64	cmd.exe	112
PID 64 wrote to memory of 3672	64	cmd.exe	112
PID 1148 wrote to memory of 4060	1148	service.exe	113
PID 1148 wrote to memory of 4060	1148	service.exe	113
PID 1148 wrote to memory of 4060	1148	service.exe	113
PID 4060 wrote to memory of 5112	4060	service.exe	114
PID 4060 wrote to memory of 5112	4060	service.exe	114
PID 4060 wrote to memory of 5112	4060	service.exe	114
PID 5112 wrote to memory of 2280	5112	cmd.exe	116
PID 5112 wrote to memory of 2280	5112	cmd.exe	116
PID 5112 wrote to memory of 2280	5112	cmd.exe	116
PID 4060 wrote to memory of 3300	4060	service.exe	117
PID 4060 wrote to memory of 3300	4060	service.exe	117
PID 4060 wrote to memory of 3300	4060	service.exe	117
PID 3300 wrote to memory of 3860	3300	service.exe	120
PID 3300 wrote to memory of 3860	3300	service.exe	120
PID 3300 wrote to memory of 3860	3300	service.exe	120
PID 3860 wrote to memory of 3856	3860	cmd.exe	122
PID 3860 wrote to memory of 3856	3860	cmd.exe	122
PID 3860 wrote to memory of 3856	3860	cmd.exe	122
PID 3300 wrote to memory of 868	3300	service.exe	123
PID 3300 wrote to memory of 868	3300	service.exe	123
PID 3300 wrote to memory of 868	3300	service.exe	123
PID 868 wrote to memory of 4728	868	service.exe	124

C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe
"C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOBNVN.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MCQMKYPBORMFIJS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3192
- C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe
  "C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLFPYWGDNHIYRUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2532
- - C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe
    "C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQQFOB.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NJKVSQUPXLMFMMV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:752
  - - C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe
      "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRPTOV.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4236
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DRRFGBCXSFMHMIU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:4344
    - - C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1148
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTEDHY.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NBEPRMKNCQXGSWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3672
      - C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPSTYF.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YOKJWDNWUEBLFGW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXJGLG.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SJSPKTEUETURAMS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
        9⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IMJJURPTOWKMELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKNOYU.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIVRPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVNUJTJ\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVNUJTJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVNUJTJ\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPPYAT.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMANYVBTXSOPCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFYYN.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVRFSDCGYXTUHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
        13⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDVMJDTNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDCFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCPAXDVUQREJR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIRNVM.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXGGSYOMQLTHJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKF\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKF\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUKIMH.bat" "
        17⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAUQLUGVBFVWTCN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKTFLQ.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCULICSMNWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGOFD.bat" "
        19⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBUSBBUK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "
        20⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCPAXDVUQREJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe" /f
        21⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCWAMY.bat" "
        21⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SECGBJUWRPRHVCL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLTKFO.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AOKHYWMMOJCGHQM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXNIRI.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYKIMHODEWVDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "
        24⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJMBPWFRVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPK.bat" "
        25⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDEPVMKOJRFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAIC\service.exe" /f
        26⤵
        Adds Run key to start application
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAIC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAIC\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHGTAX.bat" "
        26⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YEWVRSFLSSDXWLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBOWCU.bat" "
        27⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIXWKLHFHXKSBMR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPMQLT.bat" "
        28⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PDEYAVPDKFKXGSY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFVIPK.bat" "
        29⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQVCDAJBGUUIJEC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe" /f
        30⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOXTAA.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVRPTGTVAQJN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUITJ\service.exe" /f
        31⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUITJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUITJ\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSDPAX.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYAYLNIGJYMTCO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempESAON.bat" "
        32⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AXLXIHLYCMSKBAD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCX\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCX\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBEFPL.bat" "
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVTRVJMIGXVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe" /f
        34⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBKVTR.bat" "
        34⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLPKSHIYAHIQMVM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
        35⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSETDTTRALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJRDK.bat" "
        36⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBSKGBRKLVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNHCYQ.bat" "
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IHLYCMSKBACESAO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAB\service.exe" /f
        38⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAB\service.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBIWE.bat" "
        38⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FEOMLPCGCAQWOFE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKXFOF.bat" "
        39⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBYUSBBU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe" /f
        40⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTCOTD.bat" "
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GHENFKYAYMNIGJM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe" /f
        41⤵
        Adds Run key to start application
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe"
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCDRNM.bat" "
        41⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WKWHGKXBLRYYJAA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe" /f
        42⤵
        Adds Run key to start application
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFXWST.bat" "
        42⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOKIKANVEPUERCB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe" /f
        43⤵
        Adds Run key to start application
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPJOLW.bat" "
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VBCIAFUTHIDCEUH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQQ\service.exe" /f
        44⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQQ\service.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
        44⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQSNLNDRYHSXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYPEN.bat" "
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIIURPTOVKLDKLT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe" /f
        46⤵
        Adds Run key to start application
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
        46⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe" /f
        47⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHHQM.bat" "
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IYWFFQXNLPKSGIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJD\service.exe" /f
        48⤵
        Adds Run key to start application
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJD\service.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
        48⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SWTHTEDHYUWIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRMCQXG\service.exe" /f
        49⤵
        Adds Run key to start application
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRMCQXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRMCQXG\service.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIRDJO.bat" "
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PBJASKGBRKLUXKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe" /f
        50⤵
        Adds Run key to start application
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe"
        49⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQOSNV.bat" "
        50⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CRREGBBWRFMHLIT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe" /f
        51⤵
        Adds Run key to start application
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "REMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe" /f
        52⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
        52⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLGPYWHDOHIYRUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe" /f
        53⤵
        Adds Run key to start application
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSDXWL.bat" "
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQEQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe" /f
        54⤵
        Adds Run key to start application
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "
        54⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIASJGBQKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe" /f
        55⤵
        Adds Run key to start application
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
        55⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe" /f
        56⤵
        Adds Run key to start application
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRSPYK.bat" "
        56⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIWVHQHQNIXRCSC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe" /f
        57⤵
        Adds Run key to start application
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFJJDB.bat" "
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EXVEEXNIRIGRPOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe" /f
        58⤵
        Adds Run key to start application
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCNTYK.bat" "
        58⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YKTKUQLUFVAFUVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe" /f
        59⤵
        Adds Run key to start application
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUIPKP.bat" "
        59⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVCDAIBGUUIJECF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe" /f
        60⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOPYUA.bat" "
        60⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSPAUHAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe" /f
        61⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJLGCD.bat" "
        61⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSJITQPTGKGEUSJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe" /f
        62⤵
        Adds Run key to start application
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempESAON.bat" "
        62⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AXLXIHLYCMSKBBD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe" /f
        63⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCKBWL.bat" "
        63⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HNSDBFAITVQORGU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe" /f
        64⤵
        Adds Run key to start application
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLHQHE.bat" "
        64⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJGKFNCDVTCDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe" /f
        65⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCOWNH.bat" "
        65⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NDRMKPCPRMFIKTP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJASJGBUYKLIRDJ\service.exe" /f
        66⤵
        Adds Run key to start application
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\AJASJGBUYKLIRDJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJASJGBUYKLIRDJ\service.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYFGDL.bat" "
        66⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WDMWUEALEYFVOST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe" /f
        67⤵
        Adds Run key to start application
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe"
        66⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempREBQY.bat" "
        67⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BPFTOMRERTOHKMV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe" /f
        68⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe"
        67⤵
        Checks computer location settings
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSNWN.bat" "
        68⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXGHSYPNRMUIJCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe" /f
        69⤵
        Adds Run key to start application
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe"
        68⤵
        Suspicious use of SetThreadContext
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe
        69⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        70⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        71⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe:*:Enabled:Windows Messanger" /f
        70⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe:*:Enabled:Windows Messanger" /f
        71⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        70⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        71⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        71⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAHHQM.txt

Filesize
163B

MD5
bfaa2fa051ecdee4bd335049a464d9a3

SHA1
dc06ad549275eeb7f81ec592b04b1e9b0e5a9c86

SHA256
6585e73a303c780ae67170b23512ffe6e1c4f52e3ea969efad5687ec7d785292

SHA512
024deaa1dbbd3923a970364708c7a6522e2226d42c2fa88d7095594be8270d0b6a8ad6888710647f78b84aa3c9fb3052c80dfa731d5a170bb419392763647d54

Download Submit
C:\Users\Admin\AppData\Local\TempBEFPL.txt

Filesize
163B

MD5
987c8458662eeab733267717194dab10

SHA1
7dd9830cd4baaef90b3c205db35756383fbca135

SHA256
129efeb13fe3eb79c0d5c886dd20022d15df42ab0c95f79d4f09c26cbdccbe19

SHA512
b83d2df29028f61fd70719311acae4ca08fba183cfec0ca56f4954865f1bbbe7512b6406d92a47eb236b10f4d1b1c54c8131eb3bb5cc2e898892814fc174f0d4

Download Submit
C:\Users\Admin\AppData\Local\TempBKVTR.txt

Filesize
163B

MD5
e96e321e0d958fefc515bce0eee69efa

SHA1
572020c477b6360c7d8962c73cdbe7395d502a00

SHA256
f8529a8728fe98d79b99baeebd66cb44e8c13f7a0263d822746d04d7874fc1c7

SHA512
d5ef1fb7bd1d01caaa944007892ad3e8e7900d55e38a6460252913ccf8bd033d9bbc1212190853717bc248f5a8fe6cc4a1d20402523c7fd6a6132ebca8c787c5

Download Submit
C:\Users\Admin\AppData\Local\TempBOWCU.txt

Filesize
163B

MD5
87cc50695f15c2f63b4666c97e17c811

SHA1
a3a256a7638a40dfa5957b9e0075c2166face646

SHA256
ce1b528777903638c3d1d54e431f4401ec3cb9373d6df0fc2cb627eafaac01b8

SHA512
61b1158f880c6e4043883c26d0e65fea323d2bcd341158d8df51ba578e8b9f7a2cad067c6af5d5cff5ad95d96a26d6ab353d5ee642f6d76a9f1edad62bbfd687

Download Submit
C:\Users\Admin\AppData\Local\TempCDRNM.txt

Filesize
163B

MD5
bf2c1572765208029d1140dc018927e0

SHA1
3328c95270b5502797cdd266aeef728bb058f318

SHA256
506d32539093f4e3ff009ef517d883026fee6b0f787cc3eab6bf879ff4ead966

SHA512
900a47cd898993f98331fe4ffb24742f84c85769aa0718863f27240bb36406527e1930ffc4a50ac23a08ae4806b7683d7fa7e0ffb50ab0198f1c5dd4b1441419

Download Submit
C:\Users\Admin\AppData\Local\TempCKBWL.txt

Filesize
163B

MD5
84fc039c54cc69d4b22281a3bd8277a7

SHA1
9a84b182f92b014b5ded116b51de0656a2c653fa

SHA256
2a96c7a5878b14d18aff5081b15ae31d2798f2899320f9e9ec5b14f94125d7af

SHA512
a6ed04f2d6048a98a661a90074329f3ee531139c1d9965b6c224bbf0ba9ba2c1888e9396b2ef41abd8a4484ee9ddbd7c4666ecb05ced314663c584f9bbfcf120

Download Submit
C:\Users\Admin\AppData\Local\TempCNTYK.txt

Filesize
163B

MD5
475731ebdf5491f601dba41d5133c888

SHA1
5deec8772334d6e1a1b9b0c9da089f645b3850b7

SHA256
d5e46bead89bfd2ca30f3a5f57089d6756aec8ab4c965d19a48d610dfc738a34

SHA512
d24965a896102abe6f28034561316b493d0608e7cf8ff5fa2831f2c449bf5bdfdf5a47e2aae4e0bb9015d8aa293976a07116d2ab1831239d046ca8eabcdd77da

Download Submit
C:\Users\Admin\AppData\Local\TempCOWNH.txt

Filesize
163B

MD5
4ff67c7ad8f7cb3a5150d20f0441fd19

SHA1
dd5fd9ef937a200488b6a900dd4c1d0dce70d1db

SHA256
72fd430a0a705e3b8f97bbaa7eaf486a3ddaee4ec3719185d00d35ce0e645a01

SHA512
c01120fe1b945870b92cce5113cc86e3047ab948bd2b9f55a694a73f1232cf00f7aaa3f5647b36cc09bf2dfb9a503e89e4f633941fb858ec8ac4e1f11ec3e8c3

Download Submit
C:\Users\Admin\AppData\Local\TempCWAMY.txt

Filesize
163B

MD5
4d4091459af74a77721c38b55804957a

SHA1
ff472eaa805892be07006d056f1eb01a3885cac6

SHA256
1fadc6c62b8682e1c2cea26e8fbf0287892ea7e2499684b121a97e2203fa9c18

SHA512
cd8a39643eb396eb0dba86fd004682d14226ca6ddb18540e2958d51b4199a2729a7836e082ef41ace4d8a04b28b9a2531b68d14b0f9de23f03281772531f664c

Download Submit
C:\Users\Admin\AppData\Local\TempESAON.txt

Filesize
163B

MD5
a001473333022899c9dacafdade0e104

SHA1
b880e4a9a640f72a935155f658d3192b739f2c11

SHA256
9cb662c00791ea13303bdf95abf1d94e901997c261cf3daf3cf84c305eb0985a

SHA512
fecded9fc51f17d40e4decaa45127bae6ed2f89da57c31b9a04fbae20da576a858deb39995f57c5e7f514c635d678742de456c157e4e705db0e82119d5e19bf7

Download Submit
C:\Users\Admin\AppData\Local\TempESAON.txt

Filesize
163B

MD5
711994a7f79a8dd38a8c5f0fd82752b1

SHA1
519f32ec2c2deb669ab58cd937f8aabe1e15a3f4

SHA256
026a44b024801bdcb33f53ba18bcef6763fc11edb924980dd4353a1f8130dafa

SHA512
7d2b4a5ab3a6e7cfc9361febc92b382454e678b0e899c1990ff46f18a88e04cae461d121096e8823364e2ab0f99f4c7fdd2eb59c3b5f39775c29f9deceb341dd

Download Submit
C:\Users\Admin\AppData\Local\TempFJJDB.txt

Filesize
163B

MD5
9207fe76b388c0905d7a4918eb992b03

SHA1
b6a86f0bfb7e2a6038f7791e3d6d325a4adf368f

SHA256
5b5ee4acd07ad0c45152cd82eb10907b16409c1270aa664097f3b48d643f2b90

SHA512
c9fd91bc389b96dcc70765ce80361a1fcc2daa56a7bab4427e38be41000163510514840d7f74df413c36c878ecbc3012c38b5ec60fc49d5a4ae42f7b433a6932

Download Submit
C:\Users\Admin\AppData\Local\TempFVIPK.txt

Filesize
163B

MD5
583ea3fc5095dfdaaf7618dc30bbab46

SHA1
08b45396a4b04e5f69dedc41b718c50ec2de085b

SHA256
9d5968081bc1649ef7a65ef14893cbbfcefcd2d6b2522a386702f47bb7accbfb

SHA512
2816ac5c7d645ccbd5983d2d5aec4ffb84c8be95633e3f56104071714500f4d8c83690235c3c0cd380023a5e397425190bd2cbf29eededf5d418cd658d933312

Download Submit
C:\Users\Admin\AppData\Local\TempFXWST.txt

Filesize
163B

MD5
f5dddc8c8195b915447e8eca984daf4a

SHA1
92ac8e13c3544047b426c6a188f1e272801f7f73

SHA256
b06d5882fc6605999b1c1165924a3d714579131c568bf8042f795dacbeac91a4

SHA512
f2bb539fa5e023adfd3371e6623b7104a9339046af16b3bb64dd54ac15de7f4924414e2eeb5de51270df6e69f66a6a734e3955dc4edd2afe9299c6046921db77

Download Submit
C:\Users\Admin\AppData\Local\TempGAOXK.txt

Filesize
163B

MD5
55eac6291ede42a90de5207804c0e0ec

SHA1
f53972b85dfc194f41acf4fec1ac1ae71f8d63f9

SHA256
40b95e7cd44d32cf66e2a6add1cbd09310d05a51d59d88e9dc656ee90602efae

SHA512
d041313443f64f4571a67fda74352f256e85cd7c2d343f4171c4eecaac9c468eca9dbc427ddb8005da088bae2d6b888908245a5fa520b4ee92167a2f0819e3dc

Download Submit
C:\Users\Admin\AppData\Local\TempGBIWE.txt

Filesize
163B

MD5
9d8a73676ceac800fa001ece1f4e52f3

SHA1
789fff73252bda26653a511337e96d9121f836b7

SHA256
aafc7d8db206d922031bd9a5dbf1ca1464ac43ea064d603a0b121df667734d51

SHA512
b12df097cd279226c2d14d973c512569288e0dd08cba97f8c17648413ec34dff158e34061896954d0fd016e01297c2ffc636d0b70494672ff697cb74c4d401df

Download Submit
C:\Users\Admin\AppData\Local\TempGUCQP.txt

Filesize
163B

MD5
a05bc5c948181b8882b7b95448172f1e

SHA1
9dcd6a7078ad15bd61db8a84bbf43688fb27742b

SHA256
42691c7bac5d448be2e134d9011b898323a2329d4bae67b70058574e0563b226

SHA512
24d9d2f4ad6f7b0c5707928055102c4219220aa55df2cd05340728fdb09121e74ea9a5a3ad10c9deb1cbf1d134f2a6f73bf904111318d0ca1aec583d3680880a

Download Submit
C:\Users\Admin\AppData\Local\TempGYXTU.txt

Filesize
163B

MD5
15f356bf716202506bde9dc0a1b921c2

SHA1
b0eb51d47e256c9b5a4513758d86412366986f29

SHA256
ed37a3e08259934e790ca1a78068a0d3295371cef6ed81749173552ed42e1983

SHA512
32dc9603e864597514149d9fe1a84f79992d5a4b8a5d7cbe89cb4a5b5b5c7409798333ccef12906f54694dc262a22b7cd73a32453ec4cb47c29e935139ec42c8

Download Submit
C:\Users\Admin\AppData\Local\TempHGTAX.txt

Filesize
163B

MD5
96b45457d58b0a74d454f7773168579e

SHA1
69f165ce112b526cbc2bb99cfca76b3878f5bc3d

SHA256
44ad5611744904355d8f42e7698c2cc0405c8a37f8b43879d93b21a0134f0f69

SHA512
950cce5090dcff6e5c24b8f161c4aa083a7a8d1f5a94bdae1cb7f475c13023f0ec6d7ef1bda94ab9145f4fb41e94364d07869d2d30925d4639fcb7b49a3373c3

Download Submit
C:\Users\Admin\AppData\Local\TempHIFOA.txt

Filesize
163B

MD5
65051c70fb370f0677d286ed2bb6bbc2

SHA1
fd7d7addbb9b886bb624ed5943299ac1b5736fee

SHA256
c057dd885e2c0d5fcc08c30e83f212943a4ed1ad4f301dfab2d9ccf2dc6e6aa9

SHA512
fb891f6c8f8ff0921c96a17fa47f43136c5d4f384d954d0ad325c903f54990d96c1efee4f69b79fc267a96e87157b7dca4d805799d9f05a0584b1f020014e145

Download Submit
C:\Users\Admin\AppData\Local\TempHIFOA.txt

Filesize
163B

MD5
0ad59275a022c5e20e87ee3b1a5005a0

SHA1
3f71e6923ba2404a0aa4c59827701abfa89af383

SHA256
dc2f20de3ae28bf281fb113fb03b1e76b81bd7addf0f5f76be20cfff0e3d419e

SHA512
175201b62f9302dec4f9a597f0bd94209ce1bc41fb6c694cab3edd53459aac5ec0d411a2a1ac9fb7df4e252cc5971e11906592264d2ca7a2c0cc60367dff1b08

Download Submit
C:\Users\Admin\AppData\Local\TempIRNVM.txt

Filesize
163B

MD5
fbf8beaf48fdc011e243d8595f2140f4

SHA1
92bc32a451b9666446a343abf3389a9653dee951

SHA256
cb6b58412c832a730e896acd16f40bc0679312df5c467bfdf5e10c66495aea49

SHA512
286d70c6b86c59d8fbf3e56bce71c36c7db06b77168b5842499065573c65f684c18f895301cf0d0210dbe801369df91c636d6e2cf31fc89e1c4c35f8d8642bb7

Download Submit
C:\Users\Admin\AppData\Local\TempJLGCD.txt

Filesize
163B

MD5
f637d8b13ec271b6d272523d5015a3eb

SHA1
bbf29700ebed4f822b1664aaedb96ea6f3af2265

SHA256
34d45d4fb598ea5d45283194a05525559c32ee10d0a40781dbbabe66305b94e2

SHA512
634e930da8bcbe13e94ca07820cb9b5bffa959cf778f57c91a5afe1599f82ff882ec388c8b6c026714a758667b9bbea1811cdc692b5ec043b09bde0549259c7a

Download Submit
C:\Users\Admin\AppData\Local\TempJSNWN.txt

Filesize
163B

MD5
2b26c884ede435aec0ef937c2946e464

SHA1
aed29a08df61ebe0ebcc075c5bb66b48847fb040

SHA256
953e2072ff24fe7a62f3c10d1e69973b30b7ca2dceb528c52b7b7fd2dee25e59

SHA512
ad1c4d9b4938328e5771abb5f50eb9df89bba7864c4d21ef57a4cc89e330fd31a3925059551cd7fd82b1c0b462731ee7e9bf4d46ee0edf268ce45f7cbd6004c5

Download Submit
C:\Users\Admin\AppData\Local\TempKNOYU.txt

Filesize
163B

MD5
11ba06449b0fed6f98191316260722e7

SHA1
7954fbe57520cb3d858059ccd373e28c3a87b5d0

SHA256
5b2bbe6fa1d404c9835ed1bac8aae3c9d0118c0cc9b6e3a70ad625a14d4478e0

SHA512
1c9bca04351ee2a84beb0c2b52440b36e20985798401d4c6de3c22b8a846120f4ce7b339893dea64b2a4d10b966a52cc64cd7dc14eac41f1c9cf84d0800f85b4

Download Submit
C:\Users\Admin\AppData\Local\TempKTFLQ.txt

Filesize
163B

MD5
d55e6f40d7cd30b45c4d53f24c07ffa0

SHA1
858e175f6baa0cd28d08af0fa4a81323378c5444

SHA256
e1f38603ef277b3320508246e951856963b81f2e98862f9ce6bbce6d2d631763

SHA512
90b2938eefed287196c17a415d01882c0b8ab07ea54e226762f76cd86fd395ca912c880c88048a06fb0fb89d09b63c1aad8732910a5d7d395d978bcb5f00a584

Download Submit
C:\Users\Admin\AppData\Local\TempKXFOF.txt

Filesize
163B

MD5
f5e32640b80a435dead33fee40e71f4c

SHA1
e43db0656ee9805498e1bb9f416440adb48a4717

SHA256
89e0d74c0f0a3411e1758fce5992828b2bfeabf24c228a7d04cb3b678760667e

SHA512
37f5ef386f4cb358cbcb2f4a98e3524e53fd262968679059d00365aff0a1ef73fc0e3e693c131ebf79c1c7d21b6c7d12aeaf2d7f5d15ad303d2db585972cb0e3

Download Submit
C:\Users\Admin\AppData\Local\TempLHQHE.txt

Filesize
163B

MD5
f1a04c73db54f6b1409726d80a78eed0

SHA1
88a4b47f4f23b86b4051d5afefe50e68a4fab40c

SHA256
0d8841ccb39580507b12ab2654db7fb0e4ca6f8ffaf1d2f1af6e1e9e205439cc

SHA512
da60fdc98ccd3616448e6e6967a134f418fda4a2afee558f1dee509727ca14073db16ff76463db02dbd6eb97de27af0a3f2ae33136c8d01d8ecf1695f5009f3f

Download Submit
C:\Users\Admin\AppData\Local\TempLIRDJ.txt

Filesize
163B

MD5
0ad6c9500e0217c6a48554d553396c1f

SHA1
ba19a344bcef4b2edb43ff807dd4aec698822639

SHA256
819a70bd41db67deebfb277a07da2ea0319aae00f012a4cf28d2a713ee2c7d3d

SHA512
91378178711b44ff33de321b82a02a58ae4e73bc2cd3288b0b0f370f5cca6e4633fe5c67c21e9b6e340dbae03c2483cd5c093b641e29c8d2c6dd988bbb9fa488

Download Submit
C:\Users\Admin\AppData\Local\TempLTKFO.txt

Filesize
163B

MD5
600de9ba6410731f1dab1b1209f9b7cb

SHA1
95eaa59fe43e255ec9f6ed03fcefbdd8d8e3bf26

SHA256
00a1f7d9e97d7dfffba22410abdf3fc13ba7c996208474f55ca7240af930b4e7

SHA512
f2525d858df80b87dbc1ea4ccedec63a054e4ec7ea68506d02fcc122d9bd4c4c5724afaf00df867f8d3e68e6bb101bbd29208e439b2969a810ed00e49d793ac9

Download Submit
C:\Users\Admin\AppData\Local\TempMJRDK.txt

Filesize
163B

MD5
469f3e5ea5e8cd2c141fab98f2f64e1c

SHA1
b515a918878ae4e5e292acd4b871388bc445161e

SHA256
b058ef8d671332bb18372495bcc723fdd18cfa6f7353d9c16ca997caa2df44e9

SHA512
2f86365055577c89259b0340e93a9c88856955c1fc7f1f3b177e2feba6442905f27438414a0f230123bd16f7e299805e39940c8b4eb5e2c3fc73a936af17c219

Download Submit
C:\Users\Admin\AppData\Local\TempNHCYQ.txt

Filesize
163B

MD5
6d37932234587cc7795c130d52abd31b

SHA1
79b14567c8ca7857d93bf85810e2bd401423ea07

SHA256
5db4a4e46432fbdc79298a88154ceafa8e0755a382e62739008f70f68868049d

SHA512
c1bb43359eb4fd425f9b5bac8744f7e4178b8108c27f14aededf26eded3d82e043d5fedf08123bd2c0c6e33c01a7aff13fb0b344306d36539dafa1caaa86feb4

Download Submit
C:\Users\Admin\AppData\Local\TempOBNVN.txt

Filesize
163B

MD5
24c2f0e1418cade946626c1e4c9d3db2

SHA1
260517f4ba53f1062f0e60840d1e25d804a3bcfd

SHA256
de23ce509ea458dc5a9341b808d6fc8ee77cd6dde856f4f7c34e105071ed7855

SHA512
72747ae22f5b3e47ea2028e0e8a94feef6dc18a4f10f2a6adb2bb53f8b33dc2580a6c18635c0c2302fee361a79c36631b36015dcddf762a3b7c97c387b7a809c

Download Submit
C:\Users\Admin\AppData\Local\TempOPYUA.txt

Filesize
163B

MD5
fd57fa28b96aa63b9bf7237817711272

SHA1
a3c675fcf77412ecebcd072c7c29836170b3e2d5

SHA256
94ed8c09695dd7503351259ff03f581948c810b7c1bbe4c9068a1e455bf345b5

SHA512
0daf00af6a649da5d4c3c4541c2cbf4a96c13898b720eb2b4089dcbc24ed9b42e9cccbd9195278bd4e4759bae2ad7656f530dea64d2d844226c4211d3f75d2f9

Download Submit
C:\Users\Admin\AppData\Local\TempOXTAA.txt

Filesize
163B

MD5
a858f377e50658245042676e63af142f

SHA1
f4c80ab055d83e351fd43cbebd87f1c82a9294d4

SHA256
62255c76c20b3ceae60e02ba072747a318a65dccf75d4b2d80745ea800680e69

SHA512
72135514fc9d45ab7f22dfc3960ec81986419026a36de46242e4a906b92c01dee652342bb11e0ac8f8a823ab4f1e0d8e10d70cd2c2388a6a000ce8774359451a

Download Submit
C:\Users\Admin\AppData\Local\TempPJOLW.txt

Filesize
163B

MD5
3739c9378a95d73cccd808ad93026048

SHA1
2efc0143c6c84413774e112f8dbfb2233a98cb1c

SHA256
10912fa52b1c76c9f47e788d10fba9a20461a9d52437c78cd6b201b27b4e94f1

SHA512
c28defca28d615c7e55fdbe04dcb661a7ec2ff3efe1a027ae3cd4622d39cf5a5ee53253feb97b1e4d223a55af4b30b37415b21290a3b7d4a4bddef09885d0d0b

Download Submit
C:\Users\Admin\AppData\Local\TempPMQLT.txt

Filesize
163B

MD5
025b440da23deb540aa314393303485b

SHA1
c24514626fafeed0bad536ba03d38b19c84ada58

SHA256
33fce00989bf24be4ef7dd57feb556d230c9889a771eec337e2a4b7a85c0b238

SHA512
ee500cad17f4ecf03ce05eaebbd0e9870676a6e50773875e7f615d6681ba7c788f782f6f6a957c22e456da9f26af8a0c40467d7fef21b49f8f732f0c2bc93506

Download Submit
C:\Users\Admin\AppData\Local\TempPPYAT.txt

Filesize
163B

MD5
ba03c24769ee4df2b3348900a5eef3b0

SHA1
72602242abef0ee01aa7e6a2f66af2c3d50b5238

SHA256
547f261efc13275bb26c77cd9cf03ec474403c7141bb83f787d00adb95100117

SHA512
a02ad29aeadc37fdcb71cde132039404cd302d55eda8b4b7b07dc8074a33f13e8d5560fc66502638aefe9ebd589c506c4569e8f24e2e48653e780f21576a077c

Download Submit
C:\Users\Admin\AppData\Local\TempPSTYF.txt

Filesize
163B

MD5
9b433bc15d3d296e8a7a971b6b81193b

SHA1
137eff257f036962f818b60de1265298ff0cf0f2

SHA256
e6f45e547628956b5902eabe852adc97a82153b19f0daf7895288668d7bb6374

SHA512
3189a044189a99d9bdc57faad32900c68a8bd5ee71ef05e86a2627601ff19dfba13cd938f196a3f7e65fd8b84a95f192addfb2860b0907c4f7cd13b408e541b5

Download Submit
C:\Users\Admin\AppData\Local\TempPYPEN.txt

Filesize
163B

MD5
3c86f9fca6e72f3487041385d17af02f

SHA1
1d2933c86ad80c352b05bef3bd23315aa866d364

SHA256
61d8dc5504e877a049a72beadca2329646138a0a3fe296a57d4c4ce8fc2e1b70

SHA512
88c6b3ca0518f7158920d474b10bd35414fc715d8bdca0271f98246cf45015adfc5da84994fbf070767c35d5adbcfc2a8fac09b6947b9b4501c71dff4a711373

Download Submit
C:\Users\Admin\AppData\Local\TempQBUUJ.txt

Filesize
163B

MD5
a92f22d6aeebba42c05729c0c7188c08

SHA1
0de2b31be037959418e09bd24a547bba663e5fbe

SHA256
a75a1c5499d9c5d310706d6f0f239247e0eb87c3a09adf045d8514034a81bfad

SHA512
8334a9f1a511194751060865501a1e4c8bd24c625a4251b2ebed829b4e88da66b69af1857786a2fac53075e5774662c1689113e0c370c74a160e21e7b306f35e

Download Submit
C:\Users\Admin\AppData\Local\TempQBUUJ.txt

Filesize
163B

MD5
373e3e79d33ab24a63920df75aadedac

SHA1
025ca3368b01e37d1e2f466a1612d6be164af035

SHA256
559746d47a9aab1f4b5e26da733afce2275997ff8470bc178f65d8865bd4ef52

SHA512
33af5673baf8114720e31fc265dbbf6f3331709e0e9608acf90ab02f67e90c8dc57a860d19be1b5ad0716fd2c43e7739c2c70569122c009c42a6ea9e9d4d48b8

Download Submit
C:\Users\Admin\AppData\Local\TempQOSNV.txt

Filesize
163B

MD5
502091e88d4f9bd9c7adcbc8ad6eac18

SHA1
72a0dab360fce3de25db13635a0710d5e1baf763

SHA256
76eba63d23fe3ad22863c047f30213acd8b1488b91c492ba92f5fe838f7f20b6

SHA512
4d0b0d9122202ae510dccd1fe85998de6780972e1418886972135391774dcaac7ff990bafc6806f64564fe5e186425a6509ab46fe951a6d782160686618b01b6

Download Submit
C:\Users\Admin\AppData\Local\TempQQFOB.txt

Filesize
163B

MD5
5cc2ea5b9b6c892c60e123e88c6a99d0

SHA1
c998802db0b4c11a3d31a01909c2179a90cd0224

SHA256
5c6865a907c51e367723eb27fe16e1b9a429e3a91f39acd37efbbecf482cbc03

SHA512
6ff4955273f29c83537150ae6fd8ac53ed71ee96ab974774fa8b009284baf78efd17fa4d54cbc62cc91bd9ca5e7cf4e857b6860e6d85d162c330e0d0fc24a071

Download Submit
C:\Users\Admin\AppData\Local\TempRCVVK.txt

Filesize
163B

MD5
ff63d8e96cd28976f42345b2809c73e1

SHA1
e5b172e153c6373f1c4c65550f6b037c2a07577c

SHA256
9fe75f61c2ae4c8c2590dc4a9a6d4e6136427bae61eb2dc9f669768a64981768

SHA512
9132e2fa180702b9b64b1163aeb324d5c73d9f530e62369f23756421adc7fcd7128b6b702993117a697f370e9a494fbaf9f0ea1ae0473dd9f47fe7dbd7c7f306

Download Submit
C:\Users\Admin\AppData\Local\TempRCVVK.txt

Filesize
163B

MD5
1b8a00edd0fc407d3403cb505dbd5f65

SHA1
01e6613e2bf660ccd6a0c976b7ca8a7abaa54fc2

SHA256
e11c26837d37df3c197fa7828924cc2ba298fda359ecef1db90c23f8f2503a5a

SHA512
b63261cbc40fb7e5cb957f9417b78e8857ea5fb57c49aa98421737892626ccec8cf51426500e88e942be731c5fc8eb48b533e7c962081aa0c049923c31688f4a

Download Submit
C:\Users\Admin\AppData\Local\TempREBQY.txt

Filesize
163B

MD5
2b3e0ce2e138841aea19559aa1ee6ed1

SHA1
36730e6fb159d61a7ce53287aa4370f351fe83ac

SHA256
94fe3c16fd77bdd02fb54596230d39b586d849e61f2816cb22f13d6751996854

SHA512
a24ad2aafaf32862f31dfd0e4748164c179722afa78034ea6013b355bca4e9e22df53812d1bfca95862e2d88876787fbcc1f9362a6b8467d26a92b5fe2b2ff7d

Download Submit
C:\Users\Admin\AppData\Local\TempRPTOV.txt

Filesize
163B

MD5
2ce4c6b9a237cf057b039930930825ca

SHA1
fdee448380062355e0481732343c1c855d63ec21

SHA256
d073fe00ea7f669a17ac134ee52dd92307f850ed14853d02b33e1cc6fe5a9073

SHA512
53dbd75b64da54e319636d87c7f2b5ddf87c26e29d18292ef831e7b5ea274aed8a58ca63737877575baede6950902bfc9a90de32ca6a3d8af269dcd2bfb06b99

Download Submit
C:\Users\Admin\AppData\Local\TempRSPYK.txt

Filesize
163B

MD5
8d400655fc3fcd5eae2405c6a57a1dd4

SHA1
c14b761e8d12819c11b794d04b7c094ef0456f7d

SHA256
e178ebbd43a7d8fa3cee06a73308c755c8cc2dd2a71c68de2c7c31db32d403ea

SHA512
d6ce992e91d330bb7a70c5398447229deca4014274cb0b9acb2e55f2373658a5ec00f82b115905b776ae1cc9b6ba2ad8b43164fd3f6db362e724c42d04089ffd

Download Submit
C:\Users\Admin\AppData\Local\TempSDPAX.txt

Filesize
163B

MD5
01828693093ff77f5747295d62c209ff

SHA1
185f2ab8d95dc3560551dcce5f8de1d1ec079672

SHA256
ff2c0dd6b807ad417a34d9ae9382878859bf85d5f68517f23d3e4da0487dd8dd

SHA512
f061d8d712ea0f6958d4418f3f3e57cfaeac04b76702439558cc6ba218085d2fc45946ddc54b62b9e34524676c80b92453f67a581ada73203534ab6fb01ae439

Download Submit
C:\Users\Admin\AppData\Local\TempSDXWL.txt

Filesize
163B

MD5
1a3da698ee8fa36e10bff6662c71beca

SHA1
6ef93721e781a68c788b0f3adf5c402e66b49f00

SHA256
02effddc870eab367d08f4d09ebc710e98bc02f3ec9fcca5a98db8e9b0637e3a

SHA512
61ed3b5665204732e3a6d2398e769a5fe6414afa3560a2451e38a5ce5bc4c63a30ebdca8fc84a137fd7f9c0d29682d1b3806630a9c17db2d5d610357500b0200

Download Submit
C:\Users\Admin\AppData\Local\TempTCOTD.txt

Filesize
163B

MD5
58ee66fa6b26b84a2b2723f98441bbf3

SHA1
05c879e35afc11162776a7dae2e378bf7f0cc794

SHA256
94e0e21080675e26120d7dc5e254759277bcd31ad3470846d04b9b93cdaad7af

SHA512
de51ce998642657b32d6745c3d154ee36a9c5a4240dd0ef55ffd09e3d593fe118a3d0188b2de2af38286e5b07d065318560e35757a580e0cca82b146fe77543c

Download Submit
C:\Users\Admin\AppData\Local\TempTEDHY.txt

Filesize
163B

MD5
7f0b527f7baf38b696050eda03a7dbd0

SHA1
09550435888ff4507d342f553820e71bc5cfbd9f

SHA256
33222eb27238da3553e43f9ede57fbd5a6a2e5b482522adbf820a7a35877f66d

SHA512
a26143eb0054adbe029547d6b6db46c00cdc9376c39217a2090fbce798a86d24021940db491031fb92b845512bef54c059657dcd5971a44b6a3c41d2ce14fabb

Download Submit
C:\Users\Admin\AppData\Local\TempUFEIV.txt

Filesize
163B

MD5
5ff073d27058d42b4e1a233167dd3a3d

SHA1
abf063edcb6c19d997dd4e414118415e81ea4447

SHA256
591bd8e593ca7f6d04bec230dae035b525f78d62f2b9835df05bda8ae23a141c

SHA512
e49b7c255947cafcc7258ca2b178b89c543366e39a605694041d31b032f475381617bddd5facd06c12b092e47768ab9443c2a309055bf546898dfdb36018e0be

Download Submit
C:\Users\Admin\AppData\Local\TempUFYYN.txt

Filesize
163B

MD5
455fc777ca670028aa6a797ef4e9c060

SHA1
00e9fe86b46dc414762245344bfa569348f78ac8

SHA256
1489bc1f65cf47a89842490e0d8aba5b0d5331bfee8fb5114a7bb66794487ca6

SHA512
b759a9f0971b583d8dc90d0bb11c6a3005f5cebabedf17227f09488ffb2d9615870263aba19d9629fd4b51a8b9b2a0aaa4c15c5b1dc4c57d8435412b013e4fd0

Download Submit
C:\Users\Admin\AppData\Local\TempUGMRD.txt

Filesize
163B

MD5
82a35feb9ca1f14e6f8be79a1b859f20

SHA1
e138c816dc24146d24d4581069ddec79b8f7cf7e

SHA256
48c8032b57d27959fe6006f9f554c6e7deaaae09ca44d10740cf4a5f028e1c8e

SHA512
8e0319b5833a2b70833a94c2432525549ff45de4bb43e8c93d23f179c29ff3e751498069f667495d29275c48406b2df81a06bb68f5eb767f96bf59cb6d3bec2a

Download Submit
C:\Users\Admin\AppData\Local\TempUGMRD.txt

Filesize
163B

MD5
1ec7e3ccc363d8da29003f6ca9f20bcb

SHA1
0f0f489d7aa81ef3940691225309146a6831f60c

SHA256
abcf81cc40c7d02722b4e7ec09f9acb87ec53d01704592e4cc80c829f87db94c

SHA512
bcdf328821e26d27e9f8d3736e33601e50ad69ea511f3f57fba0d2b5318955418deceb86fac03ce316b0749170f34293870c2a4cbbf2ca770fcc8d98c9fb71e2

Download Submit
C:\Users\Admin\AppData\Local\TempUIPKP.txt

Filesize
163B

MD5
8131020d25feaf121296f4d7d56a01fa

SHA1
3ff923604cbe9be3ea09f7d74c235d3a9bf110fa

SHA256
0a38597aa86cf23ea920315044bd38e93469a86365e906780f5c146ea3c2b5d8

SHA512
d567db0d8f7559f26cebb4a2f885c99b6041d62949fafec7cee1fb9ba2f4892d26a4020578824ae1784f7db5362252e2f4278712ee7f44a72dd381b29d61979c

Download Submit
C:\Users\Admin\AppData\Local\TempUKIMH.txt

Filesize
163B

MD5
f345c4741d0081aa0932ad7f5845f759

SHA1
d9144eb1df0ddb1070de557dc04da0b28e1633bc

SHA256
59ae30069cad5e80ca7e9a8dc55b36753cab62d2f0b1c9f6a43df50f56e842b5

SHA512
6207c4c517053b2d19e05a55ee8bbce09fb78f749caed525c22c996de014766ba114139628b2263c66bab73626793f7705df0d4342a8d9cd70f9b0f1e059b221

Download Submit
C:\Users\Admin\AppData\Local\TempUQYPE.txt

Filesize
163B

MD5
5a4384ad153eee40e71481f1b84e2979

SHA1
c4f6eaf1a1a7e034ead8fb98d9f946ae66547733

SHA256
e24020f861db2b12a14f5de1030b174886ce889fe47e68fa46f555d2484ec935

SHA512
68a15ebf11eb0c7e315606916b9e3420d6bdeeb4cb0ec9b822fa629bd0ecbbba379c81b966ce5c686f7d47b51dc9d1752faf4ded1fb3c3b3ec11aba06258cf09

Download Submit
C:\Users\Admin\AppData\Local\TempWIGKF.txt

Filesize
163B

MD5
e5ce57e5d30e26845277d501a8c1311f

SHA1
7000a2c08a8b046d6d781967692733156a2aff16

SHA256
6e226e0033a8817c210108feaaae68b2b0ddbbc60e66151efcea4d19ad3d98df

SHA512
af1ca4eac827acbf4f5ed0edf2b781dbe4aed93ec308117fb6328241df795e5f7698ab9e6a82fdb66982d9a6e033ed8788b69240000027a21477bcbfebb11073

Download Submit
C:\Users\Admin\AppData\Local\TempXGGPK.txt

Filesize
163B

MD5
92012f0668bee46ff4f22de0c512ebc9

SHA1
eaadb3aec6c416ad3f2a7db8020f518d0c24b843

SHA256
0a5ae9f443a61cdf8fb5c0deb1a7e66e4a8ab5005cd3c5323b571ef2cafab802

SHA512
139caad4d91981febb0d282c354f977dd4f591986d01863a60c32aeb694794836caf422796526b15b93350d51d73ce339fbdfda85d31d586a8a10c7bdd32992a

Download Submit
C:\Users\Admin\AppData\Local\TempXJGLG.txt

Filesize
163B

MD5
f6c6a403a39749222bb69c6861d6e00e

SHA1
929cdf17c595d7dd4ae3dcc73744d40fb0916469

SHA256
fa980b6510eb003301bbbbf3041d09df1c00ece88db792be56ef83183710eb4c

SHA512
9244c30fdf053377ce4133f14e9d1f794f01121a13e62551cf80f90f2dddf884b2713466cb235cd1cad2cee1fde843df5b9a5499aef76ad61c2c20db81f0f6fa

Download Submit
C:\Users\Admin\AppData\Local\TempXNIRI.txt

Filesize
163B

MD5
48811a19fe9dc5d9707922daf1c24028

SHA1
db22aa5f235045892c7f194e14ed8963063cd6c7

SHA256
ea8257645737bef1a0996db3d647f6b045090e52790ded3a7f6e0e1cf024e400

SHA512
d46885c8bcb7642bee9a1c8e0ab905620a92a1f9942a886c7f10dfbbee70caae950e026d72ab42cc9d78d9466a328f43c520984e5e3d140a9ca79d1acc821193

Download Submit
C:\Users\Admin\AppData\Local\TempYFGDL.txt

Filesize
163B

MD5
1da058b5cbde769209a6288b96ef384a

SHA1
f4930bedd81d64cdcbccab1130af611000cb4f80

SHA256
a68442151fc450c31bd67906143522eb3fab7a073fef876c294eb233caca5764

SHA512
1866eee9c77921b70a4f68996d57256f23595cb28c57f023548116d80afa1711440ffe33f2706e3012de0614cb704c003826926d6dc92a69c21ef3a28d5f357e

Download Submit
C:\Users\Admin\AppData\Local\TempYGOFD.txt

Filesize
163B

MD5
1c8a1be9bc3ebb31b2592214152bb854

SHA1
ad9dc2375b15466336615991e8f93396679cd5c7

SHA256
8276331203d869e2ccf20aa4070d1e22a3682ad54d69c4df288e5fb86522d8cb

SHA512
0b6179be6de759b1b4cd1597df2cc6df1de0223ef6b238cfbd33e6655e136fe8559094d8fea5dc783f79b33d91ea744ef491a6df1f420951c31626ad13dc7d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe

Filesize
520KB

MD5
254ca3140cc2a4d23a4a08c025204c5b

SHA1
1549a3c1b95988497cf287c8cc850acc02e1a250

SHA256
ad23a23149e77f9fb1a850b6d7131657c53e1a19da5daf3fd0251f48a28c3fce

SHA512
9be996a97bbbf06268d7986d72fc9ba02607effa049e6454ec07009a49f71ca4bd26965767197cf3689e3b87329191c2b7a4fad026721356e04561a178366ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.txt

Filesize
520KB

MD5
2596faff5e611f3787be85229f2ce55e

SHA1
e519fdeb31a26eea4f5d8fd18e12cb34aebff837

SHA256
91ac8294e4ef0e3a990008de42f5f142b45fa620221f8f0ce3c7fb95662102de

SHA512
b3431e479a96c9d7322e1c49dc940d8b72bd0300d09c508bdf5b2bd125d79b265e369142b8ca684d4633630da6c564a25b8458a01341cc7959d358946ceff02b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe

Filesize
520KB

MD5
8b2a491ffeb5a9d68e20a6240d70a7da

SHA1
d9ccc987caecd143df63a7fff8dde465d3edcdce

SHA256
f33298ebeb7e97e78a5e4b4e1e4116df4caec4fe1af58580affd6bfc26f81018

SHA512
9ef61fa05731e787c831890a87e2b43b1deda8e125f4967d6efd74d2f306f3cfc221ec01b3eb2ad495c58ef02af64687f4a6127fb075e48ae2f4a11d025d512a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe

Filesize
520KB

MD5
1962ee9e3658539b99bbcbe820705634

SHA1
ce7e9e8a2b31df31d1eda8b8311ed33b2d728470

SHA256
74b68d5e7b07039255c69b7c90258ef4d29ea065db279783d8614bfcc3503b63

SHA512
77881f39cbda8a4b64ff69a8ac25cb02276bfdf919113cf87f5bf4c1da64d83b8aa645e81fcdb09fbe0c3a4862320b1acfd4b9a658d84bb19006f45846505237

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe

Filesize
520KB

MD5
0ab766575a4aea45c529f8f07d1e030e

SHA1
1a22c7fd89e1331392798093755587fb4f239229

SHA256
3225d35d3bf440aa1844b94318b473d283b183be4b622201e09cb31e44ac348b

SHA512
5d1e616005f51576cd77446f7c9982abd2336d4638618f3775ea90033715cb2abc0741ef84b551b6b34216b33ac543cb66895e22c2e8f915ad24d184f25facc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe

Filesize
520KB

MD5
88043ff594126647c9aac5c39de5ff11

SHA1
dee230d1c6701772ea8f806c46fccc26d2cf090e

SHA256
828f39cb952fbfade4363d8d2d0189f81dd7476a36b05f82060cc8f1e2f6bd0e

SHA512
8d5fbeb0bf921611d0f8f2525bf8299605600272547b1038bdbe709b0abcc48347e5cb02226457c2f59c70c739966d8dd72ab603322dce6b5c3eb69e6bc73db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe

Filesize
520KB

MD5
040bd162c23091c5e13a2b2c536cb46c

SHA1
27a07199eba9df1f6bbce77bee4279972a495514

SHA256
1b8d0e4cc8bfc32237e597d4d4d0178bc7ad2b6a7eb265ec3e8d7ce907fa7bf4

SHA512
a2867ff2f612131b78765487355456cffc40f059b1967b26a0dc215b2eec74d24d1d9994415796817aa3a0e7674596dcb61e9d5946e1f4f8d75b90b79f204c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe

Filesize
520KB

MD5
4b1dcac05ab6080808ff94a24208fcb5

SHA1
4e9603b920feeb6452538306fc8faf740c39a0b9

SHA256
0b04c7f54fa1a608a8bd582f27b3fbd1eee88570e86ed025196fb146c7e535d4

SHA512
99ea3a1418859e7822e958b6f7adc73ab884728d38feabe7706573302f2e5a85b73d5d80bb1d24c6b493251a6e4b68c7ce752f55eab836881364a14e917fc36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe

Filesize
520KB

MD5
1086ef81abe16e09fb53cd8e6fe38497

SHA1
54314e3b630aeb595acc84cb2aaafc313448ecf5

SHA256
3eeb487e2e021bb83ff7137091db0e4d2d0135a60b18c4a7e3aee29ae6f638d5

SHA512
cef6926a5bc76cd306fbb3cc3d971f54327fcc2ce7080d25fe342975c8dbd46ecb139fd90d885205eacc4b4a93d62e35899765c03d4fccedb4bb4f794185e552

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe

Filesize
520KB

MD5
61cf4e9e636ecc1700fac983bc6e307f

SHA1
c68ac3e52d6d76275b905d516707488a3bd5a8f1

SHA256
b3e6bfa503e2fb7b16dbd64c0bfc308c7f5d2604c9798b89af03469640f294c7

SHA512
f261259c168a7d664f470b42f8a24709103f3ca5a7e1bf33a92dc31e7b4b1fe6eadd45b2b7f64087219ac98b21bc522387c51db72b99bdbc16270612f5867021

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe

Filesize
520KB

MD5
21f9b0e9d18b20e73279f97d9e937686

SHA1
007df101c6346e0fba2d2a0c933e1844c52b1941

SHA256
0b12802d6f29ef8934d07f4b54e3071658662e058e6816b50e9fd703fff8efb7

SHA512
c9aa0877b1624018e3c6907dbe79c17275c318584415e938797ff425db6e7daf95b22cc9a3abaa4b64828b1487b331f8e787e5f9b721f0c315d1c7dbb116a86b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKF\service.exe

Filesize
520KB

MD5
c1149ca1be9f8bf14e89755c7aa4e0a8

SHA1
45155035d8d9be4cc558f771aa833e3a1322803d

SHA256
17d4501ca0a6d9c07895edc6e96e22b4114f8aa702521af658b67be337c72d40

SHA512
963792ac651f8e6b9e17fea2809848046b6e2d0918eae8fd6cb020024834d6a68db827b2c436856a5cc425d7bddff7a3c8aebc1932617d14a191985149767ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe

Filesize
520KB

MD5
9796752d843ba9a10a216d2e8ac83cfd

SHA1
4d12cd3225f93e6575cad6652c72d2318b3df8bd

SHA256
afded2176daad044c5924bfb3e48244efeb7ffdd5bf5c44c0992316e38624ce9

SHA512
c6230ced3b3ddd2242d81287dfe4cc828cbfb469d1dffa34a65c14fb841ca3a29bb2fa192ed12471794f6998120cd1d77d712e322b1977b3bf4e659470229998

Download Submit
C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe

Filesize
520KB

MD5
3aaa21100972c76fe394285fafae4cfa

SHA1
040f0c5306e43f961fa021c9f7844883dabc291f

SHA256
6c5bd498dd37ab4a8e4d211dc00f1d59bf94cbaa0a7d42d9ab4f7b9035e82823

SHA512
4316e8d20bb14e6968b1be0846775e0f6fe5accda749d4b502034efb7a308179efd7470e851112c71d363f2e01b4889a0f3513ea6d7a26edf36c28b545c94c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe

Filesize
520KB

MD5
379f89b7b5e01302a41b0fcd82ff3c7e

SHA1
a6ff514484d8c4f07382b93c44b9e12f0bc95c8e

SHA256
c33e1cc2735f2e0845edb1e3473511015c8264f55d3481c583827e36b29235cb

SHA512
8aa86be3b56a018619c3e488858cf2445eb1f95b2ed42b69a20129136831bd6987d9ce8fc7c7cfadf3bf9db082dee9caa05278f746508597b0d863fb935ce986

Download Submit
C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe

Filesize
520KB

MD5
f3700f5774af5f2dffaea7d768b78ae3

SHA1
5d3c6e193a78a038c5dcd2e431b2abb6ab79fe00

SHA256
8027d7e2325de2c56fea474fb534b5ed0e07d372e0db12c222e2cb507163681f

SHA512
d195ca57e920cb31396be49487430be5924a13a7f50cede002f49b733a1f85ed8026ccf645efb945d44f3c28366b12014218a80db2b6db15a12b58a4c5dc472d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe

Filesize
520KB

MD5
7aafe35f1ea898228b02d999a20877ac

SHA1
d7a78eebcedcdc3a779e2385c26d60e9ea86d086

SHA256
89dd5d30247aac16ee3d5483e60e6eb4e7cbf38914f099c050cb629a79860dc0

SHA512
2b611dd9501728e30db02a3bce17199701a3a9b6393b5b4908f45ca47c3ca072fdba78de047dd0d7a526db136d9a40cfaa741e3008983fb05e698d8e91aa3c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe

Filesize
520KB

MD5
2c9c316db12cbd05c960c32493372144

SHA1
2f363dfa79e857d6008267fd26b3610ccf8e3877

SHA256
b06305086554590b99f423848c61e217145136ea4ec2cda573659f7518dea43d

SHA512
5cf1a187744173de06c97cd4b728bcc4b55566de6feace95d2ab9d7a1df997fc9367fd3befa3dd6675b7605832a7c58278b52039dee4edc9d70535508feaa074

Download Submit
C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe

Filesize
520KB

MD5
72716d493aff8a6997f6308fe5dbf9c1

SHA1
98d11ccee4c53f625eaf9f147c069be063085b03

SHA256
ed046ff939cd5398486299c0957329c3ae756c82b2e626861eced9fabda2436d

SHA512
b3850ae274c79db00bb6acf21ffcb0c4a06d35e6b2fa9367febbfa7b289d159b6ca73a698a27a8bcc50323486a80f977be6dc7ce3466b6041bacbc84cabe0185

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe

Filesize
520KB

MD5
38a118dae986ecef7cbb8ccbda1f3602

SHA1
58efbd026ba1292e4a1ed5f84dc37ef9ed5cc3d3

SHA256
93a4fb5acb602d2982e8df1a7686a17fa70fb5466eaec3ba4fc8d912285217c1

SHA512
6e1a5e5d545329405b794f3efe7090a6c22451c5534121e4694deef3266f1ee67d68daff5276beedf093ab6c9ec6a28f16f20b64381eb53c97786d242d9550ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVNUJTJ\service.exe

Filesize
520KB

MD5
35bd19438f50112ee844de62ad902832

SHA1
0919c7609230dfce3012d85d71ba992a9d28b727

SHA256
37b061456652acc76ec89f65c8f61ab3868f029fcc9b60d9c88458eedbe4d92c

SHA512
2bc956147f72fa03eb1c5ec1ea041af90e42db9de7cd88a27f8846f54cd893fbbe3f59bbda020582890dbd218598b538f752d324a4c1eccc370d6250a03d0226

Download Submit
memory/2904-1650-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2904-1651-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2904-1656-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2904-1657-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2904-1659-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads