blackshades | e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
Size

520KB
MD5

481090609ca307c7630403cdebdf988a
SHA1

7476081b41b122a1ef39bd7b0ea7c41259df8c9c
SHA256

e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49
SHA512

e4d4ba737881a6deaf6f92af13c6a018880e434c8eed7e4095257895f142658d103ef20d33b7cefa0a92605f87150ead8b1f40bbfd53a59fd2d76e93796d5fd6
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXg:zW6ncoyqOp6IsTl/mXg

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 8 IoCs

resource	yara_rule
behavioral2/memory/1004-1171-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1004-1172-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1004-1177-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1004-1178-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1004-1180-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1004-1181-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1004-1182-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1004-1184-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFVEMAABWBSNAHC\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Checks computer location settings 2 TTPs 46 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 47 IoCs

pid	Process
1448	service.exe
2628	service.exe
4404	service.exe
4744	service.exe
2132	service.exe
4008	service.exe
1448	service.exe
5060	service.exe
3512	service.exe
5008	service.exe
4824	service.exe
4896	service.exe
2744	service.exe
2748	service.exe
4976	service.exe
3336	service.exe
316	service.exe
4960	service.exe
4724	service.exe
5012	service.exe
2132	service.exe
2264	service.exe
4480	service.exe
3980	service.exe
1096	service.exe
1408	service.exe
2660	service.exe
1340	service.exe
3184	service.exe
224	service.exe
1180	service.exe
1528	service.exe
1264	service.exe
4992	service.exe
3476	service.exe
4600	service.exe
4052	service.exe
3128	service.exe
3012	service.exe
5092	service.exe
2168	service.exe
4820	service.exe
4600	service.exe
4088	service.exe
1084	service.exe
1540	service.exe
1004	service.exe

Adds Run key to start application 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VVJKFDGVJQLQAMY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXNRWDEBJCH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XUTXKAOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSIOFWNBMC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LODJWWIQHRNIYRD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPEDEAEAVQDL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VJWHGKXYBLRYYJA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOKNUDPT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HRNIYRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NSXDECKCHWVJKGE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KLIRDJOACEQRMKN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSIBYAHQGMDULAK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HYQMHXRCSBRSPYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MIJURPTOVKLDKLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFFGBGCXSFMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIRYJFAQJKTXYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OGXPLGWQBRAQROW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRISLKMYCHVUG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPTGKGEUSJJLGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEKBSJIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DRNLPCPRMFJKTPC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IRJFATXJKHQCINB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLYFOYWGCNGHXQU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKPXIICWADTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OPMVHNSDBFAIUVQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKPHYPDOE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LMJRDKPACFQSNLO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICBIRHMEVMALB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LPKSGHYAHHQLULA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPHNUGGTARNXOJI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BQROXJPUGEIDKWA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QSICAHRHMEVMALB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RDMDVNJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYQWOFPIHJWWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HWXUDEPVMKOJQFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFVEMAABWBSNAHC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DXCPFTPMRERTOHL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WYOIBGNXNSKSGQH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NUYKIMHPDEXVEEX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFKRDDRWOWKULG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DRHVQOTGTVAQJMO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDVMJDXNOLUGMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVSRVJMIGWVLLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQGMDULAK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIWVHQHRNIYRCSC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJIKFDKFVJQL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PBJASKGBRKLUYKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EVOTMCMGEHXTUCQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLFPYWGDNHIYRUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YARKQXIJCWBDTQQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YBLRYKAACESNMHC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRQSEINAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HUBLYUSCXJDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HPGYQMHCBRSPXJQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DSTQLRWIFJEMBYC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOULTHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUSWKAOJHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTJDBIRHNFVNBLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFDHCKVWSQSIVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGAAPQNWIO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DBFAITUQOQGUBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGNR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHBVXCSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYOPMVHN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBUSBBUK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCSTQYKR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MROCOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPPWLKLHFMHXKSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXGHSYPNRMUIJCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPDDEEAVQDKF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACFRSNLODRYITYI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJBTKHBVLMJSEKP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CNSPDPAXDVUQREK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQQAXMLMIGNIYLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDGRTOMOESAIUYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVMMKSELP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWKLGEHXKRBMRBO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMVEAYOSXEFCLDI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NJIVCLVTDYKEYFV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJCHOXAAOTLTHR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WHFJEMBYCUSBBVK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIRNIDCSTQLR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HUBKYTRCWJCWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGLSEESXPXLVMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\REIECSYQHHJEABK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAUYWKPUABHAE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GCAQWOFFHCJWESR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUQTWUXINSAFCRR\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1540 set thread context of 1004	1540	service.exe	293

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4636	reg.exe
3580	reg.exe
3180	reg.exe
1240	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1004	service.exe
Token: SeCreateTokenPrivilege	1004	service.exe
Token: SeAssignPrimaryTokenPrivilege	1004	service.exe
Token: SeLockMemoryPrivilege	1004	service.exe
Token: SeIncreaseQuotaPrivilege	1004	service.exe
Token: SeMachineAccountPrivilege	1004	service.exe
Token: SeTcbPrivilege	1004	service.exe
Token: SeSecurityPrivilege	1004	service.exe
Token: SeTakeOwnershipPrivilege	1004	service.exe
Token: SeLoadDriverPrivilege	1004	service.exe
Token: SeSystemProfilePrivilege	1004	service.exe
Token: SeSystemtimePrivilege	1004	service.exe
Token: SeProfSingleProcessPrivilege	1004	service.exe
Token: SeIncBasePriorityPrivilege	1004	service.exe
Token: SeCreatePagefilePrivilege	1004	service.exe
Token: SeCreatePermanentPrivilege	1004	service.exe
Token: SeBackupPrivilege	1004	service.exe
Token: SeRestorePrivilege	1004	service.exe
Token: SeShutdownPrivilege	1004	service.exe
Token: SeDebugPrivilege	1004	service.exe
Token: SeAuditPrivilege	1004	service.exe
Token: SeSystemEnvironmentPrivilege	1004	service.exe
Token: SeChangeNotifyPrivilege	1004	service.exe
Token: SeRemoteShutdownPrivilege	1004	service.exe
Token: SeUndockPrivilege	1004	service.exe
Token: SeSyncAgentPrivilege	1004	service.exe
Token: SeEnableDelegationPrivilege	1004	service.exe
Token: SeManageVolumePrivilege	1004	service.exe
Token: SeImpersonatePrivilege	1004	service.exe
Token: SeCreateGlobalPrivilege	1004	service.exe
Token: 31	1004	service.exe
Token: 32	1004	service.exe
Token: 33	1004	service.exe
Token: 34	1004	service.exe
Token: 35	1004	service.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
3436	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
1448	service.exe
2628	service.exe
4404	service.exe
4744	service.exe
2132	service.exe
4008	service.exe
1448	service.exe
5060	service.exe
3512	service.exe
5008	service.exe
4824	service.exe
4896	service.exe
2744	service.exe
2748	service.exe
4976	service.exe
3336	service.exe
316	service.exe
4960	service.exe
4724	service.exe
5012	service.exe
2132	service.exe
2264	service.exe
4480	service.exe
3980	service.exe
1096	service.exe
1408	service.exe
2660	service.exe
1340	service.exe
3184	service.exe
224	service.exe
1180	service.exe
1528	service.exe
1264	service.exe
4992	service.exe
3476	service.exe
4600	service.exe
4052	service.exe
3128	service.exe
3012	service.exe
5092	service.exe
2168	service.exe
4820	service.exe
4600	service.exe
4088	service.exe
1084	service.exe
1540	service.exe
1004	service.exe
1004	service.exe
1004	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 3168	3436	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	88
PID 3436 wrote to memory of 3168	3436	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	88
PID 3436 wrote to memory of 3168	3436	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	88
PID 3168 wrote to memory of 4348	3168	cmd.exe	90
PID 3168 wrote to memory of 4348	3168	cmd.exe	90
PID 3168 wrote to memory of 4348	3168	cmd.exe	90
PID 3436 wrote to memory of 1448	3436	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	93
PID 3436 wrote to memory of 1448	3436	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	93
PID 3436 wrote to memory of 1448	3436	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	93
PID 1448 wrote to memory of 3012	1448	service.exe	94
PID 1448 wrote to memory of 3012	1448	service.exe	94
PID 1448 wrote to memory of 3012	1448	service.exe	94
PID 3012 wrote to memory of 4792	3012	cmd.exe	96
PID 3012 wrote to memory of 4792	3012	cmd.exe	96
PID 3012 wrote to memory of 4792	3012	cmd.exe	96
PID 1448 wrote to memory of 2628	1448	service.exe	99
PID 1448 wrote to memory of 2628	1448	service.exe	99
PID 1448 wrote to memory of 2628	1448	service.exe	99
PID 2628 wrote to memory of 3432	2628	service.exe	102
PID 2628 wrote to memory of 3432	2628	service.exe	102
PID 2628 wrote to memory of 3432	2628	service.exe	102
PID 3432 wrote to memory of 5108	3432	cmd.exe	104
PID 3432 wrote to memory of 5108	3432	cmd.exe	104
PID 3432 wrote to memory of 5108	3432	cmd.exe	104
PID 2628 wrote to memory of 4404	2628	service.exe	105
PID 2628 wrote to memory of 4404	2628	service.exe	105
PID 2628 wrote to memory of 4404	2628	service.exe	105
PID 4404 wrote to memory of 4756	4404	service.exe	106
PID 4404 wrote to memory of 4756	4404	service.exe	106
PID 4404 wrote to memory of 4756	4404	service.exe	106
PID 4756 wrote to memory of 3792	4756	cmd.exe	108
PID 4756 wrote to memory of 3792	4756	cmd.exe	108
PID 4756 wrote to memory of 3792	4756	cmd.exe	108
PID 4404 wrote to memory of 4744	4404	service.exe	110
PID 4404 wrote to memory of 4744	4404	service.exe	110
PID 4404 wrote to memory of 4744	4404	service.exe	110
PID 4744 wrote to memory of 2416	4744	service.exe	111
PID 4744 wrote to memory of 2416	4744	service.exe	111
PID 4744 wrote to memory of 2416	4744	service.exe	111
PID 2416 wrote to memory of 1340	2416	cmd.exe	113
PID 2416 wrote to memory of 1340	2416	cmd.exe	113
PID 2416 wrote to memory of 1340	2416	cmd.exe	113
PID 4744 wrote to memory of 2132	4744	service.exe	114
PID 4744 wrote to memory of 2132	4744	service.exe	114
PID 4744 wrote to memory of 2132	4744	service.exe	114
PID 2132 wrote to memory of 5040	2132	service.exe	116
PID 2132 wrote to memory of 5040	2132	service.exe	116
PID 2132 wrote to memory of 5040	2132	service.exe	116
PID 5040 wrote to memory of 1352	5040	cmd.exe	119
PID 5040 wrote to memory of 1352	5040	cmd.exe	119
PID 5040 wrote to memory of 1352	5040	cmd.exe	119
PID 2132 wrote to memory of 4008	2132	service.exe	120
PID 2132 wrote to memory of 4008	2132	service.exe	120
PID 2132 wrote to memory of 4008	2132	service.exe	120
PID 4008 wrote to memory of 1528	4008	service.exe	121
PID 4008 wrote to memory of 1528	4008	service.exe	121
PID 4008 wrote to memory of 1528	4008	service.exe	121
PID 1528 wrote to memory of 4876	1528	cmd.exe	123
PID 1528 wrote to memory of 4876	1528	cmd.exe	123
PID 1528 wrote to memory of 4876	1528	cmd.exe	123
PID 4008 wrote to memory of 1448	4008	service.exe	124
PID 4008 wrote to memory of 1448	4008	service.exe	124
PID 4008 wrote to memory of 1448	4008	service.exe	124
PID 1448 wrote to memory of 3428	1448	service.exe	125

C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBDRNM.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VJWHGKXYBLRYYJA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4348
- C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe
  "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJRDJO.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PBJASKGBRKLUYKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:4792
- - C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe
    "C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3432
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DXCPFTPMRERTOHL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe
      "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNIRIG.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4756
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NUYKIMHPDEXVEEX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:3792
    - - C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4744
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDRYHT.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LMJRDKPACFQSNLO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1340
      - C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHBVXCSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGOFD.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBUSBBUK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBVUJ.bat" "
        9⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MROCOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
        10⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJPUFD.bat" "
        11⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OGXPLGWQBRAQROW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
        12⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJJLGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempORSXE.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NJIVCLVTDYKEYFV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLFPYWGDNHIYRUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXQWIE.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YBLRYKAACESNMHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGWJRA.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSXDECKCHWVJKGE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXTAGD.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DRHVQOTGTVAQJMO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
        18⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBLYUSCXJDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSNWN.bat" "
        19⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXGHSYPNRMUIJCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDKF\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDKF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDKF\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGOGD.bat" "
        20⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WHFJEMBYCUSBBVK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGEIW.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFRSNLODRYITYI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOWOIB.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DRNLPCPRMFJKTPC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJUSRV.bat" "
        23⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LPKSGHYAHHQLULA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMPRWC.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYTRCWJCWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHIFN.bat" "
        25⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNGHXQU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCQXHS.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KLIRDJOACEQRMKN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSIBYAHQGMDULAK\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\PSIBYAHQGMDULAK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSIBYAHQGMDULAK\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQVGEI.bat" "
        27⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HYQMHXRCSBRSPYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRRCWV.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNSPDPAXDVUQREK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUSBCV.bat" "
        29⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DSTQLRWIFJEMBYC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYPEN.bat" "
        30⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIJURPTOVKLDKLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGUTF.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "REIECSYQHHJEABK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBEFPL.bat" "
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVSRVJMIGWVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempORGUC.bat" "
        33⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OPMVHNSDBFAIUVQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVGFJW.bat" "
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRTOMOESAIUYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe" /f
        35⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDMDHV.bat" "
        35⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GCAQWOFFHCJWESR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVASWR.bat" "
        36⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVJKFDGVJQLQAMY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRSPYK.bat" "
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIWVHQHRNIYRCSC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe" /f
        38⤵
        Adds Run key to start application
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWKLGEHXKRBMRBO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMVEAYOSXEFCLDI\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\DMVEAYOSXEFCLDI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMVEAYOSXEFCLDI\service.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "
        39⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKAOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe" /f
        40⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXSRAT.bat" "
        40⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BQROXJPUGEIDKWA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QSICAHRHMEVMALB\service.exe" /f
        41⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\QSICAHRHMEVMALB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QSICAHRHMEVMALB\service.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSCRSP.bat" "
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LODJWWIQHRNIYRD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe" /f
        42⤵
        Adds Run key to start application
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKIQCJ.bat" "
        42⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIRYJFAQJKTXYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f
        43⤵
        Adds Run key to start application
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
        43⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe" /f
        44⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCFHQM.bat" "
        44⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSWKAOJHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLC\service.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLC\service.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDXBMK.bat" "
        45⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVWSQSIVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe" /f
        46⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVLXIH.bat" "
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGUBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe" /f
        47⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYXFGP.bat" "
        47⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDEPVMKOJQFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe" /f
        48⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        49⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        50⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe:*:Enabled:Windows Messanger" /f
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe:*:Enabled:Windows Messanger" /f
        50⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        49⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        50⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        49⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        50⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempBDRNM.txt

Filesize
163B

MD5
6fa2e9edd5f1b2cf91a50fce556ab425

SHA1
1ab599c81af314d7fcb5d71ade64ef1d6af90f9e

SHA256
c64127a4b8d2e39e1d2b59bafa74f26d532ab3407d4042e7af966ad7f26bdc9b

SHA512
8d2d9ad81c5636ca916f7d12af80ed05de97e7411bbd0f4a85be43d138ffd98af725384d6fd862af3eec97ade67118341d848f504cf4c8b21405be4bcafb7fa8

Download Submit
C:\Users\Admin\AppData\Local\TempBEFPL.bat

Filesize
163B

MD5
5d5193981fbb091f2db96343213a1540

SHA1
ff915d08eb74f807c0f4025cb9328452915d57b4

SHA256
0507bc248992b8bb2868f818afd9557ee243cf4a23ec0600dc075bd545593611

SHA512
22900c727121acdd2e26815c64739c26e94de8e96aada530d44006b47162cefc8200b44829f5da5a3332e4227738a6fe2dab62772ae5987f7521a971bae2dce3

Download Submit
C:\Users\Admin\AppData\Local\TempCFHQM.txt

Filesize
163B

MD5
19b5c504d50be17ed858500e872957be

SHA1
20714841324a86dacfed2fdac8089bff4c7a1f48

SHA256
1a6c9ce78a7cb656d62451f28e019cdec09c8e8b0344fa7455a2ee4ca50e3ff8

SHA512
3b312ecca4648d257da7419e8dd6554bf19a6992fca64a578d425f385c44a5352001505916725623603019a4d2ba229a811823ddd23599d85c2018f177c32d8c

Download Submit
C:\Users\Admin\AppData\Local\TempCQXHS.txt

Filesize
163B

MD5
5037eb92e66a2c05e7d5078a8a1143b1

SHA1
4a388c5871ba342bda5d0aa51ad5bae27b732d8f

SHA256
382df9b3a1a226397b05dc0774a41a46a3b28f8be91a16cc62b23c3238f1bd93

SHA512
63f98ee3fc58a56a94d7560a88a356fa0d2d39d3ec0826c868501b059b8b7175767ec3a01f9605bbbb98caf82d54830cfe7e4893018cd20420db1bf72850282f

Download Submit
C:\Users\Admin\AppData\Local\TempDGHQM.txt

Filesize
163B

MD5
0a642b13e305d30ca155412d35b152af

SHA1
781496d9955791faa48807abc37e66baaf0169f5

SHA256
1da282d9ea78c8ceacef47f322ce5a859f7514d84cb168119c85ef6bc174f797

SHA512
de8b280b6b40187615fdf3ab82d65a639c3e42251508328f6559a93b0e6c4a1b9b37b156b10f38c7dd068213d3dbe2871b1ff73670f056531fa4f76648df8578

Download Submit
C:\Users\Admin\AppData\Local\TempDMDHV.txt

Filesize
163B

MD5
8be720d3cdc5c62641df5ef56fae71ab

SHA1
a723734b68a48265dac3e7eefc87d0561c1dfaf5

SHA256
b98594696bf6f74fc972241084b34888a162de79897092e79281a2747136274c

SHA512
40b8586595edccbed2200722990d0aa933bbee9735436083a586550d7cff6db35d986976a1de2beba0e7f5314d1b49294c88e81682897c6dc1ab13a4b9b1d79c

Download Submit
C:\Users\Admin\AppData\Local\TempDRYHT.txt

Filesize
163B

MD5
adc7a0d1c28b95fb10bf331628342207

SHA1
af786319d980e4cd7f481e0208bcd7265b0cb1ea

SHA256
f5070ad84d95dcf703f95455d7a0db0c2f4c552d5057674ce3733f01ce60b207

SHA512
679455ebb23dcbe3334b58bb48550a2bec1585b3982b1d6be020fa74cd7e1fa03e32e9b33a4eb5ce741a3dc1d282aca4868bb66e2d13177354fd36cfdc797919

Download Submit
C:\Users\Admin\AppData\Local\TempDXBMK.txt

Filesize
163B

MD5
f2cddf9b4c6dc1c004b21edafc8229cd

SHA1
29cdd639f4c179567cb348866c5f6e3dba09d708

SHA256
8f24551e222b7f71fe5abde2e4f575e531c22c7b9d65a5493adba78b9ac040db

SHA512
e2bf4e1ecd1e3ea9c31b09da90f2c7fc0c3b0f826f5ff4ed820c793f892fae68af1e6bca0a8418322ac629f765cc873c5ff81fbb59628e3bdb06d93fdd59b0b0

Download Submit
C:\Users\Admin\AppData\Local\TempGWJRA.txt

Filesize
163B

MD5
aafa596022ec916e16d728991c445f33

SHA1
b74870573178579c6257ffbbc49ad226dcb9737b

SHA256
6a3917efbae6a89e372b72356fde1ddfc5a6399272cbbb25881e107747c3fc69

SHA512
18e061d778bd0655c293d67b05b9723028aff20dd932e26af826f50b3979f9e0be121eb5e9f95a1de85b4c47ce25fb60d118ce918ab27e8cd194d34730a9c7b0

Download Submit
C:\Users\Admin\AppData\Local\TempHIFOA.txt

Filesize
163B

MD5
65051c70fb370f0677d286ed2bb6bbc2

SHA1
fd7d7addbb9b886bb624ed5943299ac1b5736fee

SHA256
c057dd885e2c0d5fcc08c30e83f212943a4ed1ad4f301dfab2d9ccf2dc6e6aa9

SHA512
fb891f6c8f8ff0921c96a17fa47f43136c5d4f384d954d0ad325c903f54990d96c1efee4f69b79fc267a96e87157b7dca4d805799d9f05a0584b1f020014e145

Download Submit
C:\Users\Admin\AppData\Local\TempJPUFD.txt

Filesize
163B

MD5
66097a57ad354205f527a8611e0d521d

SHA1
b5dfcf50ce1b17eb8d280c2b7d991c23b79ee197

SHA256
8abdbf15859cbef19f04e689075848a98e404baaf4de37a50abce37b230380b1

SHA512
ea74eb331a4ee32f9640b0f5f205269d6ec5a8b9605a25ae964602064cd8a574caa2a716bd2f0dbd46b0d9b3c1619bc10751aa11ab4af06d2ed42fb3a9a083d1

Download Submit
C:\Users\Admin\AppData\Local\TempJRDJO.txt

Filesize
163B

MD5
c84fae6cade4418f510bef53dbaf1202

SHA1
adc0e9b7e978c8a8835ddbbd3a0ccdd21f518bfc

SHA256
242708153ac165985ebed0a13191950afcf8d69f8300d912acc4733f1ae12acd

SHA512
4b9b9a4a9dfdff6b4d27fe3e9a1cd53df4fac54e602699572cec0539b463d621aa782f47a490e46521cd1d754b5c076739105d33785a62ae058799dfa43f8846

Download Submit
C:\Users\Admin\AppData\Local\TempJSNWN.txt

Filesize
163B

MD5
3aa1f329efa98263ae6cc7490d68de80

SHA1
a1dbf8a2daf345103f9b40ab592015ecd1bf2247

SHA256
7f36f38822581f1e739154d1aaf807c671e26fa73e6507474034732ea3d4b61d

SHA512
7cdd827d7dd312388aa55eeb73a0e5606ca1b48eb3c8c954f16f31b6ac24af788f9a47cda3283adc6179d7b7a5a9ae9e33b40444c571a50a8e7dcd61ebc2a4a7

Download Submit
C:\Users\Admin\AppData\Local\TempJUSRV.txt

Filesize
163B

MD5
1ee484831f631cf02e6151a3adaa385a

SHA1
9021d396e9d54d48211446a539e7913e6c3de55b

SHA256
7c533bf5a46fea75032fe6c4ed8a3cae26ad9e3fc767ac9dd6bd48c775d44279

SHA512
5476d0cb15e0a1508556b8dad1a9df0bfdf4b6fe93e9cdd92d03a9fc88769f76de78634164b49a622665db052b630e3b02a1c7bdd6dbe185dcf75de78a4ad6ec

Download Submit
C:\Users\Admin\AppData\Local\TempKIQCJ.txt

Filesize
163B

MD5
3bf0ca3ba9863d35e7db3e7b2cd31b7a

SHA1
ea10955b351348e554138f493d3a22c60c44c2cf

SHA256
c4c93341d1268d21ddea7d6132776d3ae6d2cbe38c232579852cd2138a68a764

SHA512
d062c276cf111712a5cdc8a6ea648b1bf4d2e2ce312be4235dec436112234f61e43693e9dbb8850e35a050b9fd978517c1ec2bc6e7b8fcb4ad03f490d50355fb

Download Submit
C:\Users\Admin\AppData\Local\TempMIWVH.txt

Filesize
163B

MD5
744a5026709d2e515773358787335ddd

SHA1
30e8cd8484237258baf44dbe7519134890471634

SHA256
275ff9d4af6a5aa1439bb2288cb5bb576546130da74f614bd575738da1bb21e9

SHA512
7f2de32cf6b2874543a0c05b18c146bbcc804509cbd040f66d6facd63d56f0a765cbc9e14e513cff32fd8cc7d475c8532e11fa135fa94f76c233b369eb54d33a

Download Submit
C:\Users\Admin\AppData\Local\TempMPRWC.txt

Filesize
163B

MD5
5826b21bd1acd9827aab11fa4ae96f80

SHA1
70dbcf9b36551660a8101cf41b3d223306a8a912

SHA256
4837e9f3bdc83a08cb1b271cf3ec8df340f9f366fc4f3bc9398a1c05f3251f0f

SHA512
961b179a7a08c6548df904d249a39055fba8987a5d76a2d8ad26c717472b61797dbefe0a8079337d26551f6d19de118c4fccef25f6b90cb52e84ebf030c841d6

Download Submit
C:\Users\Admin\AppData\Local\TempMVREB.txt

Filesize
163B

MD5
0e84f3bcd40232c8eb14e54587f94776

SHA1
e7648e0fc12856e52efec01dedf8cb4eba0c9953

SHA256
ea568b80a63a5b79adc0dc2fee080588c2e7f9747730bc2a2f019671618ce98e

SHA512
7da9c91d583165b2af80ca23f0f398d5a56e10c2a4d07729c36c2a68b260c26e65b4722093bd03a59cb643348b63572aa12827b92e832e1abe290e60f67a6f58

Download Submit
C:\Users\Admin\AppData\Local\TempNIRIG.txt

Filesize
163B

MD5
826a20596f6976249332de226c6cfdf8

SHA1
3f811f098b3e8445eae5da7e9dcd98b2ef5177e8

SHA256
bce12e777216230c396e60c89fe1ea2bb30f28ef17900ca1c037d7044f519c9d

SHA512
098f41014807cd5573eef56262adf36b0d5a5082afdd760ce5e07456ab1a7935a6a53b92d4af07f9b42fadbff0a693cbfcf548c62c059bfe26828e5f9745bd17

Download Submit
C:\Users\Admin\AppData\Local\TempOPYUB.txt

Filesize
163B

MD5
0b6b760849c7bd9de74e64f9c2f3fdab

SHA1
2ab2b28c12975c0a6748cedf34261ab55a4c198b

SHA256
892339a1c3d9473d0b7352a4a7cfe9607924df83c741dcae24220c92bd2a0b2d

SHA512
9317e2739e7b523a31e1382fd38fdd9eb0498cba45c091c4265a3f87af2c66379b595a1af65b6754366f0f061c4753c5e67710f7340fe656124bf6bcc2c12f60

Download Submit
C:\Users\Admin\AppData\Local\TempORGUC.txt

Filesize
163B

MD5
6fbab6998ebcde0fb2d77e94a8d48a4a

SHA1
114790d9ec86e848a0320b012114fd1ec8a9ac72

SHA256
058bedcbeb05b6ffe92cf33a62a3ba718497ea8a9c478fe89beee82b3cf188fc

SHA512
43a73aee74123e2d2cb687c80ce6bdc52029a1537f6f8a7c4beab9d011cf0d2018a6aed97f97217a2f16b7e7e06cc95f0004c141eefca656432c285c824cd0b7

Download Submit
C:\Users\Admin\AppData\Local\TempORSXE.txt

Filesize
163B

MD5
614f1433fbe565374413c79c491fdb8c

SHA1
27c042d949d3310e3ed482df360a440af8a95976

SHA256
f6feacdd588ebc36b5577beb6494d1b972635898ab4df10ce41848ffee437ae0

SHA512
082322c1cb90f34383487526bf7602b1efeea9053b3dbcbceb1e7a48ba56c3af52dcab39e6d8a717bc2dba9fdbf9c3a7bdeddab42cd47fdf0ded97169328704d

Download Submit
C:\Users\Admin\AppData\Local\TempOWOIB.txt

Filesize
163B

MD5
8c6e9ab42638a703b50323eb4618a1ec

SHA1
5f7db0ce1b8a409aed54ba74a07dc14aefa4b0c2

SHA256
b481ac9a779de2bba017d298d5c89b027bd384a8acfa73d39b2452d402a9cede

SHA512
2f573af84dc17a35e21972d2a18bde3407b9a18655d195b23c81ed91c641309d3f65c1135b2d908d0ce43c5b2779525e471313863598bb09a5b9529e57a5c7fb

Download Submit
C:\Users\Admin\AppData\Local\TempPYPEN.txt

Filesize
163B

MD5
89e522433b731c85139482d45f788ec2

SHA1
a7c7a82cc9f450613d5574eb9516b8bfb3468c7d

SHA256
b813aea977c0e97dac7254217395f1e7c8fc3496a4c024320c9ed30d6ad5ce5f

SHA512
4a8d39ee33e7d49146e2747bd2d432fd45bec1678e4c8cbd97a86bd5f27f3c71dfae1df8c94e801e8a1b14425d91e8b94965302c786e9443a1378e54835f3e52

Download Submit
C:\Users\Admin\AppData\Local\TempQBVUJ.txt

Filesize
163B

MD5
7b79dc7eea216022d53f393972e89b61

SHA1
0492d08361efc368281d3dd53dbce45872a425d4

SHA256
d579c56a04a19b8c0798f0fbf1b2b097259581aa491ac42af34ec0eb085feb37

SHA512
59be76023f9d1fb5af5f9119ea61169b441fb0127919767e4756a2b8b300a0de9d5af4b13f5d9ae70270c9e3211d840a30f291cb69a4b980692bb2b753468f0f

Download Submit
C:\Users\Admin\AppData\Local\TempQRWDE.txt

Filesize
163B

MD5
9b570159134045325ae16d82147020a5

SHA1
5455f8b560bb5ab16f9405bfc031141c4dcd1ad9

SHA256
a80b5e8717edf443f6577ed46e4370efff33d07b477f8b753726a958f36fe9ed

SHA512
e26345a5f1806f93766dd7b9d00b1712e16a27f11655884e3e27d26a7b932ff95cff18bcecb5b0560fcaa8e15dd773f44924bc80b3029418b0c3229b1a13c410

Download Submit
C:\Users\Admin\AppData\Local\TempQVGEI.txt

Filesize
163B

MD5
3ea11b70a23cf32f40c930d247ce49f5

SHA1
f47f06e80b041991b8c9b357b1d3a47a444e4014

SHA256
ef2e242f3d41094edc4a8f7a42283fb7636c3c91f25adde5b661524547fac631

SHA512
faed7053581bbeb36693940f324188a4b63c334f89299fb9ed5c012aaa87caa177648a9294d67140f01e0c485eb976b8af5289fbab989d6cce6ec7bbd269a8ad

Download Submit
C:\Users\Admin\AppData\Local\TempRRCWV.txt

Filesize
163B

MD5
4e1bd99e24df2894bc8d6ca5770c579d

SHA1
5600d1a3f6c3e7edaf7cb21e2140548cff9f83ff

SHA256
690c45e0963cb87f5a01c5c56b9496fca439f1f82c53d6654610568c599f89f5

SHA512
5c7484f19badf65018fcad73d0ef6a292b959eb9e8bf810748b355595a96085a59910718377b07513c7ac4d688582bee7058b382934d10caf591c83bd820a5de

Download Submit
C:\Users\Admin\AppData\Local\TempRSPYK.txt

Filesize
163B

MD5
7de2ff60a6715c2a2852ea89a4475ae2

SHA1
4319da27bb462d257abd0d1cc0aaec15d669f255

SHA256
59e987f8f6aba48305c22970867cfc80a2ec7283dd22a3504d10a824fde3fe26

SHA512
c6e91b2dcdc34d856fc81405f2056b4b338a523af5bfbfa136ea76cc188be88765f48fb929d01f2b58fe1c1a5131d8f1523b09b9a9dc1d9a0bd3d12c04616590

Download Submit
C:\Users\Admin\AppData\Local\TempSCRSP.txt

Filesize
163B

MD5
eb7cc1ad6286fc8443777b3813b1220c

SHA1
b1a5fbb6caf2316ee52dd09f487ad347ffc5def7

SHA256
beeaadc6ae05d441e5ca5b64a4208c2f80dda8e18640860d49757abc77825c88

SHA512
5257486001025dee01d7c7a2f91b9b18c29a2f3785d3534d05423b9b89dc2eef643956d843efc869abc5e9d27bde677b238c68f33d034fca92135fd579fb1dd5

Download Submit
C:\Users\Admin\AppData\Local\TempUGEIW.txt

Filesize
163B

MD5
54b154c0074045c0b65130047455e866

SHA1
6cb37d98075d62318d5dee038e950d05cbb0f5db

SHA256
2d21b38c4c487ca8efc5582b062d720de64658d9ca8dac2fa857c4148d206695

SHA512
cc53906aaa17be744adbeb782b13989a44d9cf77a3b3e28ac6f616085318f9287bd5bef1ddd208628244556bddd4d4cbb375dfdf1993c959f6c0ddd57e406f96

Download Submit
C:\Users\Admin\AppData\Local\TempUGMRD.txt

Filesize
163B

MD5
b22132539dd436d0b5e7e9332b303beb

SHA1
816341d0d9bcc592a70cbf867c7ffc44b75c0544

SHA256
1f83c1c4e9fe62a8c51b5a794de6ea2a1b46fd3caa7e303c13b398f4c75a3058

SHA512
31ac6658660f0ac369b201e3ce563658ef64a9b1f53307be642acf7efa1c88ddd6ee9208a5a3c2136a60c5717eb63f4ff11d66e1df1ff932a26253493e0c47b1

Download Submit
C:\Users\Admin\AppData\Local\TempUSBCV.txt

Filesize
163B

MD5
1bdd43fd176c6a51eb3d368fc62a282d

SHA1
b8686c37cf50a944d5a573a09735f54f7cfb1459

SHA256
3e67c3f8a8e5cbcb8bee910de4451b20a5fd975c48cbdc3f454f01b6865752a1

SHA512
b9c52bb7f4caafc7f3c894af10b6b7a62a407aa9944721d1a4eac4ac1aeaa219cf3d5f172c1ad42eb68dabffe40b8b1a561bf1a6d9176ff63bb4cea903e23a9c

Download Submit
C:\Users\Admin\AppData\Local\TempVASWR.txt

Filesize
163B

MD5
83f2239c58729035bb37f589e00bb176

SHA1
be8a88b50229293129567784e029ba75c3780898

SHA256
22be063a91746ef1516216858887c5d1e2f5679bdd2e5a2a7415cc3d5a2d2911

SHA512
7251675b46a0e88bbd86f1ecc2c4bfb14d6722044f32cf753d398d90cde7f0fb8c19958e8c3b9a0c9a1cec3b1cf367ead99504a93a2bf38d7faca75d79100573

Download Submit
C:\Users\Admin\AppData\Local\TempVGFJW.txt

Filesize
163B

MD5
6802e1d742b92a5ca7ef02f9db16d1cd

SHA1
d034a1fe579e06e2b8d5baa8e2faa42c1bbbe37b

SHA256
513c6b684727277667bdad458fd8639d2d243c797cd6a6a8242fb299455d6628

SHA512
a35e9c6b2a954c0dc6c8edd5317a28c1a0382f9703e36f4365bdee7439d952d0d887f53e12a535546fc4a3f3078012ba567131d050095cf6d3e9fba47891c44e

Download Submit
C:\Users\Admin\AppData\Local\TempVHFJE.txt

Filesize
163B

MD5
ae509edd5dcf523ca66bbe9a385a6970

SHA1
755cc715ac1c910495d7ebe4938c14b5f3a5c7c1

SHA256
9a5316af50370d0e410c04f1e2dee52a446f21fbd412097d81d3e9662df06afa

SHA512
cf52c4cc6246f9b4c0dfe65559a2ef39b1c8e909a7d245ed77e46f696a37ed42241bf097e01809258ecc10003fe2d7fce68f874bbb3c29530b0e7c69fbbdcfde

Download Submit
C:\Users\Admin\AppData\Local\TempVHIFN.txt

Filesize
163B

MD5
bae0445eae1984998b8e8f2e95d61fcc

SHA1
d52837b67fd0715d254589b0abbed61a9e240601

SHA256
16ac196a027a14185c2aa74a7b35d47578fb80583f7f4babcd910ac11c386334

SHA512
98b89bfc0f41a337748dbf573b6d84bb7939cf60b826e2db94b2095aa385d9af350c4e61be9e4d1fe7d9a9b8efda6f94678ec1e3b24666d5f68e7866e04fbb7f

Download Submit
C:\Users\Admin\AppData\Local\TempVLXIH.txt

Filesize
163B

MD5
38582d0b8684e515acc8a0b855142358

SHA1
091d9a23d9ea9a7fa0a7583fc3233521f038d3f8

SHA256
86ace41294290c8dd92509de6b1a6245e1ac20c41f4f1d7501be7ee721223776

SHA512
b5b207d182e0c3b8ceb79160238c24e6af6c482485d77c2b2b4bf0130611db60c503c2b1f6bcf4220328862c7ff650a3ac4f508dede00b8e50e3dcd92241a633

Download Submit
C:\Users\Admin\AppData\Local\TempWCUYT.txt

Filesize
163B

MD5
37d8942a5ffcb254da56c1cd09b6dbb1

SHA1
7675d4b9064da26c2f4b8caa977a6b486071b367

SHA256
442bfbedb2c1887a9a772b7fdc5a054cb086151bcd66bfadc8deee2cd8369cd7

SHA512
c257781d935a2474813176dcec7a7f60616ddce6a1956dec158a1763c16eee624d8b336007d2fafd7715f7a45bf7a2bbbb3652d9228dbfa8c0c04027e1d43324

Download Submit
C:\Users\Admin\AppData\Local\TempXQWIE.txt

Filesize
163B

MD5
8cf657ee18ff90831120c9ab8a391242

SHA1
1b5943769649c6f011a26190d57915b340441fcf

SHA256
ceae3950d64bdd606b5d177cf82023520e05aefa538ae9752dd66875e4bf6b00

SHA512
5e49079d50c85bb2c15d893dc1bc7033792e420ce86a3c43d7627c89ac3ad50cd46ad1e42ea2e64cf0acf4a1499165cdc047b34bd06e3f3f4fd7bd3d2929b23a

Download Submit
C:\Users\Admin\AppData\Local\TempXSRAT.txt

Filesize
163B

MD5
7b71f34c8208404aa2e362f6497994f6

SHA1
a639bcaf7db18b375c7cc0a497398637f607880e

SHA256
22eb4aa65d75d6bcb1a5130d699d34e07c75e3a7dd4f398d46caca8422bf4a51

SHA512
3adc219828e23f0569daeb14fd2f9bfda9f24f8e441a7204fee7003ae13287f873bdb417092b1671c79a8f54836f4969b6b31eac362006094dcc2331f519e165

Download Submit
C:\Users\Admin\AppData\Local\TempXTAGD.txt

Filesize
163B

MD5
3cf525dbf29f25f34df23201d08fce18

SHA1
0890f015a03ebf0b241fc3f586fbcce07e080662

SHA256
de0703967a2d9f0e376b5597e2c3afc2db7bc40ed7762a64fa4abaf1ae30cc32

SHA512
8a97f87963b63ebfa214e5f4a76ba01c89ef2ea4ac686bb3dd879acd6af7b1f28e1c1aa08fa5fa295c0ba57132135e5779623078fca541816edf973822504ac0

Download Submit
C:\Users\Admin\AppData\Local\TempYGOFD.txt

Filesize
163B

MD5
af522a5ea303ea851c24f9829c421740

SHA1
f5a77928aac462afe7f56199ae8de75e032481bf

SHA256
5ff4f4614539c82da38c5537d8ffd56163edec2b1dc2af8e41cb98e7baba0a87

SHA512
9af85c64ae72327555a0065d5206341edc93838d6fe49e41c95459add623c79acaf9803a731939b1a77526b7084d39ca62255c301550f4fa9d5ac776e7a3e183

Download Submit
C:\Users\Admin\AppData\Local\TempYGOGD.txt

Filesize
163B

MD5
4b6b4213a6274deff4ca98e7bb0fd4ab

SHA1
ad0b1b25e8b71b3c14c40e8a064d72aa88e3e6a4

SHA256
b60d1d001ef0e51c969f6f40e26bed2b518e09345230e104370aecd4a1c5b7b7

SHA512
b490f77f739a0d4e8f2a3f37a68e67c133a44ce9191343044910f23f8add242c4e9e2d5f6924e501a1058c71bc04b21f9fa18cd5ce3ef734be68d4bddf90a1fc

Download Submit
C:\Users\Admin\AppData\Local\TempYGUTF.txt

Filesize
163B

MD5
1fb3aeea25d3ac5c3b3862b15b20e5f5

SHA1
59debac864640ba025d397706c2f9ca73fa8c95b

SHA256
0f48fc9fdbe9a498dc66e95000b6ef3afd22994ce4102a4de6445baa77e7be25

SHA512
e7060eb7ae87e18ccaa49c6c04ec0e61a2c4cb259572f8e2fc57c5abcb942bdc4e6b9f7bf739a1aa0cdb33fde64bf482bdde01e2a6c16c44cf92927b26a4512a

Download Submit
C:\Users\Admin\AppData\Local\TempYXFGP.txt

Filesize
163B

MD5
8f13886a6f8f3d09c63c819d864c70a1

SHA1
adad140373f9a9f5c6fce07572c4e610c1b389bd

SHA256
62dd21100ab5ab21968ce7b9984e867875dd229354f5d78cfd2b8cc8a4614434

SHA512
17b3ba19af960f32a632cf16c12e3d5bdfd948c2784bf7d19803bec8d44e7f33e0c59771bcf1ca4f414ee6f68d6ff8001ac22a8b1a57da2a60147af852ac6aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe

Filesize
520KB

MD5
dc1528587a43c4c1a6f607ef822c1536

SHA1
fe5bc1ef92bde67fec479f475cae6b47215531ea

SHA256
d2164cb270f0595661850d582aa2ba8510fbf3b8c32aa4faf980a5c094f88944

SHA512
c5089f8fc2fa6a3b87c75de641be693410465f627a3f186f3cdbfc0122c747090018a7586b34e7cf8ff3d3aea4ee6b3cd230eafa0010736985fe7b30a1a87f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe

Filesize
520KB

MD5
0e8bbf799aec17349b686278849c66b9

SHA1
48f976a6189278410789bdeccfc7854a45cd32fd

SHA256
d7c9ee3f5156b2a6ce7fba1367716193310fcbac616204b24f4fdda6ac36e388

SHA512
fbc38484c8b37f518c6f1e3d2d4e60a5096ffa08cb17acdfca5fe02e0991332682b057b95d564237bb614e403e0c13b5e5b22b04ab12f22331a72818fa39c969

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe

Filesize
520KB

MD5
93f619453f1ab2ccfea52b733177724b

SHA1
50b181091fd2b625ce72318829d2b19a644cabb0

SHA256
4bb6aaf5ece3c7d885ae2161344ca2600b12075b933b963fdc59643775087948

SHA512
bd2cbbd7a339586748d58c1a489d95de6a99f17d953ac5b9e5051415ed6b24d96fe5234716f67e7e580c08ee877f5d04cdc1356e3fffea33cc9fdcf439047637

Download Submit
C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe

Filesize
520KB

MD5
b5a004240d8425c443afc35bcc398ce3

SHA1
a05785b0d5448b95bc1fdb8d54356e51a2d422c4

SHA256
5208baa58cf7293e68ca4b2ca3e2a77e9abbd6cb96e725b5cc5172164a6a4223

SHA512
a12ebb0e80c4c328814944ff442b166ba55e0acd7a71439071b6c82bc7c095522eb23cd6cd262ff6dadac5aabc8557bd1b2b090909b2e7afbd0e3eccf97b4355

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe

Filesize
520KB

MD5
9f0fa15911cccd9a450730f1180f0b13

SHA1
eda0b14882ccf493773dceb173a97a206b69488e

SHA256
6b8c4bc8f9609a45b324f9823129e18ceaa84e7f18df9dc1ba4d173fad406d3c

SHA512
9e5de86de04942da978483ce77cbdcdc57dbe85ccf3c8ff685f3b6387eaf659e92694f0866780c5fa9d8b9e42784f86d798923a32efb68853195b285aeaf4ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe

Filesize
520KB

MD5
d6eeda45170c43449f0b581926883578

SHA1
769e69a6142e83ec668259a5a85717c6381e7432

SHA256
6c8e56b9a796c4aea0c4cd89805b57e16cdfce4c378e084e06b69c5e92031515

SHA512
80495f13c7b650c653c4c09a6b81255029577f4eb6b0fa3af29573d7316824fbd1ee995d8c3ce3e8eeb210130f6277ec91333426892168c4b107d2c20bc9b695

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe

Filesize
520KB

MD5
f33a936a804f16d5ccf7ec6c1579c0ad

SHA1
a2014dfe2720d2d02837c34a65cc5e8471de06af

SHA256
0e3b851354ed62584675d3fd9a0eaeb6049bdb194f16e1fa3cab06166ed0f6f3

SHA512
3abb62e96a0f6d39d96e5f10cc48a52ce561447ee3e0b071da16fd2889e88fff9215ece5542f1247ff5e5cd95cc3cedcf2f80496d4b79ecf2b43e927a69709d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe

Filesize
520KB

MD5
6db66dcebc78552254bb4b8a02fe372f

SHA1
524a1e5fad999138cbb3d0fdb4440bd3325b3e38

SHA256
a22cb7710ff5f4910142ba36cfb2b4fbc1c317c92c06f12ebac7548c86499524

SHA512
fdb9725855823d7f9fe2488da0c410bc48f412d21d3519a9ece2b61edd548d95e3d547ed7c9a49b538c9ddb3e3cd4b8ae559771cf8246e1b041486643b02f567

Download Submit
C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe

Filesize
520KB

MD5
b4073c9280e41ad9a573139efa7b3542

SHA1
ba95c3f00e262aea13d50db17bd0c8f4de9d5740

SHA256
8664ee45d8e448fd1f3df051db89acba3d0367dbba737041e5e574f2174345db

SHA512
39461f6c0efc5e0c02833287345a0575e855d3f19961292ac0fefdd904ca4410c89acc1005c1894c1f6c1bbb0db5ece131a34f50957575415ab741d86dc9155c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe

Filesize
520KB

MD5
d4fce83e0f10002d817251788de66bb9

SHA1
10a834c23b5cb11aa364a4c4901851adbe6bb358

SHA256
a1295835b81d680455c358c86c6355bc4b99950d49afef7367c156f10d2e19fb

SHA512
9eb7619e475f5257b0b83b1c35129d08b0b7ce7e7ccbf439bb717ea920a2f2ee072ea251739bb2f7d33030a1de868bbd82a4700fe2da90bcedd22559efe7087f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe

Filesize
520KB

MD5
f7fb5bc4701114c2eb8502f4c7ab3c53

SHA1
731fd52eb645028840530e94fc60402e5d2a0191

SHA256
a1eba8a24282f9ef1dbda69459626603f2b4940151125246aa2ddc9692f62a62

SHA512
f4e3f28a6daeac6006c1e53cde9a4e6f4f437b2c70c8ea32717d63ad4ab46586d7a3ddd4ecc53277e362c94784fde3dc029ccec57a29ff35d7099655765bf7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe

Filesize
520KB

MD5
a6d0bf66361dc01a9a2343310b1b1d69

SHA1
3e30d106ba8a5e284b7dcad14304105ee0cc02c8

SHA256
1a4631951129a3e3a5c74815b3c70145d27dfb6dee1623e1267e8e11f0284ea7

SHA512
1dec0647dc1ca6a11b58e70825831c8f346b7a0294747cf937b91f00f896dccb8798e9c7c97ff2b55ca391b428c26e9584c3f7a2ea0f4c089c1de7f9674439e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe

Filesize
520KB

MD5
afa78eb7d384e992bc3d2eff53715c63

SHA1
cea87f221bea8e3d463876c3f5eb8b77d1902bcf

SHA256
1972ec40beddcc0eac2e7677ca0dccdf4a6d864725e770a26aca7ea37472c80f

SHA512
06da14957dff1c7e4a82e3d973175be30ce9e9e341e3849d03a24958c3ce24fe85ad3bcd3b9ae62f34950d1f1a22ae511e17142f4aad738a9d1de29209401b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDKF\service.exe

Filesize
520KB

MD5
0a0930eb722649f8597f11af153f4e73

SHA1
bdea61cfc664cee5be455963a119e0c243e380f0

SHA256
ca24c5374a07dee14a18f64d7462cbb556e0486448b7f093d9bb9da95424ca87

SHA512
148933ccdaa587dea5dfa555c2d022061e2eff2a61fab7bbd5a501d6e13ad37b27d6537a2c822553b61f062ba842e23fa20e706bcb840f9f38beadd3a044897c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe

Filesize
520KB

MD5
3e48773f7ac1202516147971509dd11c

SHA1
9890451919153cd9bab36c6f5ac54cbc5f1faf0e

SHA256
5538003bdaf9a280948775fc5e9ca935648899ecfad67cd0efd183626133460f

SHA512
7ffaa38ca6f1d04cdff3e0a5bc8b220336c8b68ecd64ac0c091aac93d5cebbb2a89d60ee7f26b2e99e78f45403fc6e6ca72b7acf92cb5ee74f7c3667bc2060ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe

Filesize
520KB

MD5
a22631593e49a69770ded955ef90f885

SHA1
2f5ea65ab98f5f586ec1f2ce40a5e34f2880ec38

SHA256
02132dda2c1229ec1f370967c88020593f5c287b21ef25a7e1b4b1055106e966

SHA512
4a91fb9b1a318854f58d2a203639cf82d8542228f477039485db226ac55b6e589c575fa584e6db6b349bb25765ad43bd7c58f45e638d24c7db6f51a14fdb0c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.txt

Filesize
520KB

MD5
b711b37fe1827d094f49245996fb6586

SHA1
f18cce62ba76149d0212f74818cba48753a8cabf

SHA256
91ab007af9df49861eb0b67a580eaad8d44c768260621a8652b1bbf2b1fa88bf

SHA512
9c4afedc3a8ba4972bfdcbbdab53cf7ab50a62dfeeea32c43544a3a86e57081dc2671ee861a8f946cc7e615fcafe7eb87c7548289f376867e61aef9fdef0efa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe

Filesize
520KB

MD5
faa1c13b321003440f1894417b9e72b3

SHA1
60e4734f04f3b62849693412d2b84af2ecc26ab5

SHA256
593dc4bfcfe9b10423c72f927ec51c93e45a698a1e2b11a2de734d66bd09e6b8

SHA512
09b89b813ec9eed289cb0562816243d034d553c70ab1f4e1b828710d5e8674b7db208f0cd17417a88aab7488f5c910e9230bf9a3506aacd46d11fcf3dadae0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe

Filesize
520KB

MD5
01840a4769bcdf062394f921450ed1ae

SHA1
2366cf740817c952f7922f880fa134dd32182031

SHA256
4dfb87fbf88fbb5cb887fed09fedc76c505fb1289ec8049a895cc3baff03b5e0

SHA512
5d4ab327a4f33d9d0be01313e69bb55bfa6796e324366158fd43678d33e7f822d5fd17152748f8bf788a7f8d3d52ef5d1700b7a1d9ab4c3a236f58616157caf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe

Filesize
520KB

MD5
e8da65d2bb8c494d853e0667c17dc2b7

SHA1
65d2f7da8dc88525ab56ce94cf4d39af00a3fb19

SHA256
fc2f17030d74479e84fde7c69dfad47369b3f7220289c3dce7f89fbb0f026ddd

SHA512
0951ae082c46daa3a671171382803c510dc77b9ce3ca79f4e4bfbd9e9cd30f7120a03de6b13c01945a805387039d83588063dc15a2fea477fe25c6df6e6756f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe

Filesize
520KB

MD5
7d469346060ba30733fcf972d3ead2ad

SHA1
b41f698ada0483ad44ec54b5b802012d3c68b325

SHA256
b055c8829fbfa74df9ea916e0e4e74d4f34fa45fd49767fc9c30898ed8467e2c

SHA512
4f6f76e1b883662ba8618425c807e4cf85bffe16a78e607e41184644453f4a3e68a3e10dca96e98eb363021df99208a31007be8869045ab707c304effe7ef0e2

Download Submit
memory/1004-1172-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1004-1171-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1004-1177-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1004-1178-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1004-1180-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1004-1181-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1004-1182-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1004-1184-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads