blackshades | 412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
10/03/2025, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe
Size

520KB
MD5

382a233cc77468e58568ce23c2000306
SHA1

67085d0dbd7416c1c81783ff354e8f835f997191
SHA256

412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a
SHA512

a23b399f5e377ca424334253072292c3adc7f616d520960ffad26b50a019fd5e2899a344dbd57c3928eea71ab3e38906914f7676f6d482c1e4772f6d6dcbbd29
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXW:zW6ncoyqOp6IsTl/mXW

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 5 IoCs

resource	yara_rule
behavioral1/memory/2664-1748-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2664-1753-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2664-1754-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2664-1756-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2664-1757-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAUYWKPUABHET\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Executes dropped EXE 64 IoCs

pid	Process
1028	service.exe
2972	service.exe
2024	service.exe
2772	service.exe
2980	service.exe
2480	service.exe
1896	service.exe
2644	service.exe
704	service.exe
3004	service.exe
2684	service.exe
1216	service.exe
2788	service.exe
844	service.exe
1984	service.exe
648	service.exe
2352	service.exe
2700	service.exe
2340	service.exe
2064	service.exe
332	service.exe
2824	service.exe
2576	service.exe
2140	service.exe
2160	service.exe
2112	service.exe
2324	service.exe
2736	service.exe
2744	service.exe
1912	service.exe
2684	service.exe
1780	service.exe
1728	service.exe
960	service.exe
2272	service.exe
2072	service.exe
2112	service.exe
2812	service.exe
2800	service.exe
2744	service.exe
356	service.exe
2932	service.exe
1020	service.exe
1676	service.exe
1504	service.exe
1892	service.exe
2644	service.exe
2740	service.exe
2656	service.exe
1384	service.exe
1852	service.exe
2968	service.exe
2216	service.exe
964	service.exe
1676	service.exe
1516	service.exe
1624	service.exe
3008	service.exe
704	service.exe
2340	service.exe
1084	service.exe
2928	service.exe
1792	service.exe
1652	service.exe

Loads dropped DLL 64 IoCs

pid	Process
1192	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe
1192	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe
1028	service.exe
1028	service.exe
2972	service.exe
2972	service.exe
2024	service.exe
2024	service.exe
2772	service.exe
2772	service.exe
2980	service.exe
2980	service.exe
2480	service.exe
2480	service.exe
1896	service.exe
1896	service.exe
2644	service.exe
2644	service.exe
704	service.exe
704	service.exe
3004	service.exe
3004	service.exe
2684	service.exe
2684	service.exe
1216	service.exe
1216	service.exe
2788	service.exe
2788	service.exe
844	service.exe
844	service.exe
1984	service.exe
1984	service.exe
648	service.exe
648	service.exe
2352	service.exe
2352	service.exe
2700	service.exe
2700	service.exe
2340	service.exe
2340	service.exe
2064	service.exe
2064	service.exe
332	service.exe
332	service.exe
2824	service.exe
2824	service.exe
2576	service.exe
2576	service.exe
2140	service.exe
2140	service.exe
2160	service.exe
2160	service.exe
2112	service.exe
2112	service.exe
2324	service.exe
2324	service.exe
2736	service.exe
2736	service.exe
2744	service.exe
2744	service.exe
1912	service.exe
1912	service.exe
2684	service.exe
2684	service.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\LYFOXVGCNGHXQTV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XRKPWIICWADTPQL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\RPUHLGEVTJJLGCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOFKCTKIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\CXTOBXJYDIXYVFQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DQMPTRUFJPCOWNB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\PLMXUASWRNOBHOO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNMUIIJEDJFVIPK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\TYUIVGEJWXAKPXX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WDVFRRSNLSODRYI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\UYTPRDJQQBVUJSF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\BVWKWIGKYCMRYKA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YEXHTTUPNUQFTBK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\OJHJNUDPTEQBAYE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCQVHIFNGKBM\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\QVGEIDLWBYTRAAU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HAPHYQMHCBRSPXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEYAVQDKFKXGSYP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUTVHLQEBPXP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAIRJFAQJKTXYKK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\XENXVFBMFGXQTUG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVCSOPLK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\IWDMVTDAYLEYFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPHNUFGTAQYNXNJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOMUGMRDBFAITUQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPVMUITJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEDQGUQOTFTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOULTHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\SGHDBDYTGOINKVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWRAUYWKPUABHET\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\RVQXMNAFMNWRRGP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTYRHRLJMYCHVU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEJQCCQVNVJUKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\WWESRDMDVMJEUNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKKLGELHXKRB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCNKJNBEAOUNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVAXSQXTIWEMD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\RISOJSDTDSTQALR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHWUKUOMPAEKXXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\DIWVHPHYQMHXRCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCOOPKIPLAOVFQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\URFRCBFXWSTGMTT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SSCONOKIPKANVEP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\PLMXUASWRNOBHOO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNMUJIJFDKFVIQK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAITUQOQGUBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGNR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\BVTRWJNIGXVLLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQHMEVMAK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAITVQOQGUCKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEVNJEXOPMUGNR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\XUTXKAOKIYWNMPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSINFWNBMC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\HGTAJXTRBWICVYC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUAQLGBFVW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\TTHIDBEUHOJOKWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JWSAVYXLPUBCIAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\JWDMWUEALFGWPST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPIOVGHAUBRNYOK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\YLBPLJXOANQLEHI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDUMIDXNOLTGMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\FKXGGSYPMRMTIJB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIYHPDDEYEAVQDK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\CAEHSUPNQFTBJAV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDUMIDXNOLTFMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\DNSLBBDFTBPOAID = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAUYWKPUABHET\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\FBBWREMGLITQOSN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUPSWUXINSFCRQE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\TXSOPCIPPYAUTIR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTKUNMOAEJXWI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQCKCTLHCSLMWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNDOHFIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAIUVQORGUCKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEVNJEYOPMVHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFCGBJVWRPSHVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFXOLGAAPQNWIO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\TCCOULJNIPEFXWE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LEUDLAVARMGBGVW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\MDNTLCBDFTBPOAI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYXLPUBCHAE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVUYLBPLJXOANQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\PMAMXUASWRNOBHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJIJFDKFVJQK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWKKLGFLHXKRB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\HLQDBPXPCEYAVPD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWWAXSQXTIWEME\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\MAVRMAVHWBGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXNYRPSDINAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNSPDPAXDVUQREK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQQAXMLMIGNIYLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUHLHFVTKKMHADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHAXGPFLCTKJUR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\IXYVEFQWNLPKSGH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGWFNBBCXCTOBID\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEDQGUQOTFSUPIM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOTLTHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\BVAWKXIHLYCMSKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YFXIUTUQOVQGTBK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDDFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWEMDX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\XENXUFBMFGWPTUF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJOVHHBVCSOPLK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\DPQLKMCPWGRWGTE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IRJFATXJKHQCINB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\IPTFDHCKVXSQSIW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMFLSDERXOWLVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\IWDMVTEAYLEYFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPINUGGAUBRNXOJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQCKBTLHCSLMVMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FAWPUNDNHFIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\YMNIGJMTCOTDPBY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBQUGHENFKYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\CXTOBXJYDIXYWFQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRMPTRUFKPCOWNB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\DFABVQELGKYHTPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVUWIMREBQYQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\UGEIDLWAXTRATJW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HPGYQMHBBQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\HLQEBPXPDEYAVQD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRXTJWENE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\HXXVEEPWMKOJRFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NFVEMBABWCSNAIC\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2820	reg.exe
540	reg.exe
2364	reg.exe
2024	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2664	service.exe
Token: SeCreateTokenPrivilege	2664	service.exe
Token: SeAssignPrimaryTokenPrivilege	2664	service.exe
Token: SeLockMemoryPrivilege	2664	service.exe
Token: SeIncreaseQuotaPrivilege	2664	service.exe
Token: SeMachineAccountPrivilege	2664	service.exe
Token: SeTcbPrivilege	2664	service.exe
Token: SeSecurityPrivilege	2664	service.exe
Token: SeTakeOwnershipPrivilege	2664	service.exe
Token: SeLoadDriverPrivilege	2664	service.exe
Token: SeSystemProfilePrivilege	2664	service.exe
Token: SeSystemtimePrivilege	2664	service.exe
Token: SeProfSingleProcessPrivilege	2664	service.exe
Token: SeIncBasePriorityPrivilege	2664	service.exe
Token: SeCreatePagefilePrivilege	2664	service.exe
Token: SeCreatePermanentPrivilege	2664	service.exe
Token: SeBackupPrivilege	2664	service.exe
Token: SeRestorePrivilege	2664	service.exe
Token: SeShutdownPrivilege	2664	service.exe
Token: SeDebugPrivilege	2664	service.exe
Token: SeAuditPrivilege	2664	service.exe
Token: SeSystemEnvironmentPrivilege	2664	service.exe
Token: SeChangeNotifyPrivilege	2664	service.exe
Token: SeRemoteShutdownPrivilege	2664	service.exe
Token: SeUndockPrivilege	2664	service.exe
Token: SeSyncAgentPrivilege	2664	service.exe
Token: SeEnableDelegationPrivilege	2664	service.exe
Token: SeManageVolumePrivilege	2664	service.exe
Token: SeImpersonatePrivilege	2664	service.exe
Token: SeCreateGlobalPrivilege	2664	service.exe
Token: 31	2664	service.exe
Token: 32	2664	service.exe
Token: 33	2664	service.exe
Token: 34	2664	service.exe
Token: 35	2664	service.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1192	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe
1028	service.exe
2972	service.exe
2024	service.exe
2772	service.exe
2980	service.exe
2480	service.exe
1896	service.exe
2644	service.exe
704	service.exe
3004	service.exe
2684	service.exe
1216	service.exe
2788	service.exe
844	service.exe
1984	service.exe
648	service.exe
2352	service.exe
2700	service.exe
2340	service.exe
2064	service.exe
332	service.exe
2824	service.exe
2576	service.exe
2140	service.exe
2160	service.exe
2112	service.exe
2324	service.exe
2736	service.exe
2744	service.exe
1912	service.exe
2684	service.exe
1780	service.exe
1728	service.exe
960	service.exe
2272	service.exe
2072	service.exe
2112	service.exe
2812	service.exe
2800	service.exe
2744	service.exe
356	service.exe
2932	service.exe
1020	service.exe
1676	service.exe
1504	service.exe
1892	service.exe
2644	service.exe
2740	service.exe
2656	service.exe
1384	service.exe
1852	service.exe
2968	service.exe
2216	service.exe
964	service.exe
1676	service.exe
1516	service.exe
1624	service.exe
3008	service.exe
704	service.exe
2340	service.exe
1084	service.exe
2928	service.exe
1792	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2520	1192	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe	30
PID 1192 wrote to memory of 2520	1192	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe	30
PID 1192 wrote to memory of 2520	1192	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe	30
PID 1192 wrote to memory of 2520	1192	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe	30
PID 2520 wrote to memory of 704	2520	cmd.exe	32
PID 2520 wrote to memory of 704	2520	cmd.exe	32
PID 2520 wrote to memory of 704	2520	cmd.exe	32
PID 2520 wrote to memory of 704	2520	cmd.exe	32
PID 1192 wrote to memory of 1028	1192	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe	33
PID 1192 wrote to memory of 1028	1192	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe	33
PID 1192 wrote to memory of 1028	1192	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe	33
PID 1192 wrote to memory of 1028	1192	412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe	33
PID 1028 wrote to memory of 2884	1028	service.exe	34
PID 1028 wrote to memory of 2884	1028	service.exe	34
PID 1028 wrote to memory of 2884	1028	service.exe	34
PID 1028 wrote to memory of 2884	1028	service.exe	34
PID 2884 wrote to memory of 3004	2884	cmd.exe	36
PID 2884 wrote to memory of 3004	2884	cmd.exe	36
PID 2884 wrote to memory of 3004	2884	cmd.exe	36
PID 2884 wrote to memory of 3004	2884	cmd.exe	36
PID 1028 wrote to memory of 2972	1028	service.exe	37
PID 1028 wrote to memory of 2972	1028	service.exe	37
PID 1028 wrote to memory of 2972	1028	service.exe	37
PID 1028 wrote to memory of 2972	1028	service.exe	37
PID 2972 wrote to memory of 2680	2972	service.exe	38
PID 2972 wrote to memory of 2680	2972	service.exe	38
PID 2972 wrote to memory of 2680	2972	service.exe	38
PID 2972 wrote to memory of 2680	2972	service.exe	38
PID 2680 wrote to memory of 2672	2680	cmd.exe	40
PID 2680 wrote to memory of 2672	2680	cmd.exe	40
PID 2680 wrote to memory of 2672	2680	cmd.exe	40
PID 2680 wrote to memory of 2672	2680	cmd.exe	40
PID 2972 wrote to memory of 2024	2972	service.exe	41
PID 2972 wrote to memory of 2024	2972	service.exe	41
PID 2972 wrote to memory of 2024	2972	service.exe	41
PID 2972 wrote to memory of 2024	2972	service.exe	41
PID 2024 wrote to memory of 1128	2024	service.exe	42
PID 2024 wrote to memory of 1128	2024	service.exe	42
PID 2024 wrote to memory of 1128	2024	service.exe	42
PID 2024 wrote to memory of 1128	2024	service.exe	42
PID 1128 wrote to memory of 332	1128	cmd.exe	44
PID 1128 wrote to memory of 332	1128	cmd.exe	44
PID 1128 wrote to memory of 332	1128	cmd.exe	44
PID 1128 wrote to memory of 332	1128	cmd.exe	44
PID 2024 wrote to memory of 2772	2024	service.exe	45
PID 2024 wrote to memory of 2772	2024	service.exe	45
PID 2024 wrote to memory of 2772	2024	service.exe	45
PID 2024 wrote to memory of 2772	2024	service.exe	45
PID 2772 wrote to memory of 2788	2772	service.exe	46
PID 2772 wrote to memory of 2788	2772	service.exe	46
PID 2772 wrote to memory of 2788	2772	service.exe	46
PID 2772 wrote to memory of 2788	2772	service.exe	46
PID 2788 wrote to memory of 2696	2788	cmd.exe	48
PID 2788 wrote to memory of 2696	2788	cmd.exe	48
PID 2788 wrote to memory of 2696	2788	cmd.exe	48
PID 2788 wrote to memory of 2696	2788	cmd.exe	48
PID 2772 wrote to memory of 2980	2772	service.exe	49
PID 2772 wrote to memory of 2980	2772	service.exe	49
PID 2772 wrote to memory of 2980	2772	service.exe	49
PID 2772 wrote to memory of 2980	2772	service.exe	49
PID 2980 wrote to memory of 1244	2980	service.exe	50
PID 2980 wrote to memory of 1244	2980	service.exe	50
PID 2980 wrote to memory of 1244	2980	service.exe	50
PID 2980 wrote to memory of 1244	2980	service.exe	50

C:\Users\Admin\AppData\Local\Temp\412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe
"C:\Users\Admin\AppData\Local\Temp\412f931d3d3390c94a213205433e1bf750f5be5e259e51890b8b1275b4d5e07a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempEMDYB.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IPTFDHCKVXSQSIW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:704
- C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe
  "C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempOXTSH.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMAMXUASWRNOBHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJIJFDKFVJQK\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3004
- - C:\Users\Admin\AppData\Local\Temp\VONVJIJFDKFVJQK\service.exe
    "C:\Users\Admin\AppData\Local\Temp\VONVJIJFDKFVJQK\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempRTYEF.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IWDMVTEAYLEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe
      "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2024
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWLXIH.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1128
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITVQORGUCKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe" /f
        6⤵
        
        PID:332
    - - C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNWSAF.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFSUPIM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:2696
      - C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMQLTI.bat" "
        7⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEYAVQDKFKXGSYP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQEBPXP\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQEBPXP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQEBPXP\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVJKKT.bat" "
        8⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FBBWREMGLITQOSN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWLXIH.bat" "
        9⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITVQOQGUCKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEXOPMUGNR\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\EMEVNJEXOPMUGNR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMEVNJEXOPMUGNR\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIQCJN.bat" "
        10⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIRJFAQJKTXYKK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempACESA.bat" "
        11⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVAWKXIHLYCMSKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEDQUU.bat" "
        12⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TXSOPCIPPYAUTIR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
        13⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSDTDSTQALR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHWUKUOMPAEKXXJ\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\LHWUKUOMPAEKXXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LHWUKUOMPAEKXXJ\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYAHHQ.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IXYVEFQWNLPKSGH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe" /f
        15⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMNWSA.bat" "
        15⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBRSPX.bat" "
        16⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIWVHPHYQMHXRCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYFGDL.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWUEALFGWPST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKSELP.bat" "
        18⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCTLHCSLMWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQUPXL.bat" "
        19⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHDBDYTGOINKVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRNAMU.bat" "
        20⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLBPLJXOANQLEHI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "
        21⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKAOKIYWNMPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRSXEF.bat" "
        22⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IWDMVTDAYLEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPHNUFGTAQYNXNJ\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\VPHNUFGTAQYNXNJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPHNUFGTAQYNXNJ\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEYXMV.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "URFRCBFXWSTGMTT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKANVEP\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKANVEP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKANVEP\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCYWBO.bat" "
        24⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RVQXMNAFMNWRRGP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHEMFK.bat" "
        25⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XENXVFBMFGXQTUG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe" /f
        26⤵
        Adds Run key to start application
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKSELP.bat" "
        26⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKBTLHCSLMVMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWLXJH.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAIUVQORGUCKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMVHNS\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMVHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMVHNS\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "
        28⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDMYVU.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQOSNVJKDKKTPXO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIVVDR\service.exe" /f
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIVVDR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIVVDR\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
        30⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDDFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWNLPK.bat" "
        31⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CXTOBXJYDIXYVFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOQGTB.bat" "
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOMUGMRDBFAITUQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXSSHQ.bat" "
        33⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLMXUASWRNOBHOO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNMUIIJEDJFVIPK\service.exe" /f
        34⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\VNMUIIJEDJFVIPK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VNMUIIJEDJFVIPK\service.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGEMFJ.bat" "
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XENXUFBMFGWPTUF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXSSHQ.bat" "
        35⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLMXUASWRNOBHOO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDXBMK.bat" "
        36⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFCGBJVWRPSHVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXNOLU.bat" "
        37⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WWESRDMDVMJEUNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRB\service.exe" /f
        38⤵
        Adds Run key to start application
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRB\service.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGHENF.bat" "
        38⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LYFOXVGCNGHXQTV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XRKPWIICWADTPQL\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\XRKPWIICWADTPQL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XRKPWIICWADTPQL\service.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
        39⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe" /f
        40⤵
        Adds Run key to start application
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAHVCQ.bat" "
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNKJNBEAOUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe" /f
        41⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempERVVP.bat" "
        41⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UYTPRDJQQBVUJSF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f
        42⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKFJXG.bat" "
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HLQDBPXPCEYAVPD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe" /f
        43⤵
        Adds Run key to start application
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe"
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCHYUV.bat" "
        43⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DPQLKMCPWGRWGTE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe" /f
        44⤵
        Adds Run key to start application
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKFKXG.bat" "
        44⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HLQEBPXPDEYAVQD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe"
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
        45⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RPUHLGEVTJJLGCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe" /f
        46⤵
        Adds Run key to start application
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTMPQV.bat" "
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HGTAJXTRBWICVYC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe" /f
        47⤵
        Adds Run key to start application
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFYOJS.bat" "
        47⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCCOULJNIPEFXWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe" /f
        48⤵
        Adds Run key to start application
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWRRGP.bat" "
        48⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKLWTRVQYMNAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTIHIDCIEUHPJ\service.exe" /f
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\UMLTIHIDCIEUHPJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UMLTIHIDCIEUHPJ\service.exe"
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOVLJN.bat" "
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MAVRMAVHWBGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe" /f
        50⤵
        Adds Run key to start application
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDVURR.bat" "
        50⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YMNIGJMTCOTDPBY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHENFKYA\service.exe" /f
        51⤵
        Adds Run key to start application
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHENFKYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHENFKYA\service.exe"
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempACESA.bat" "
        51⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVWKWIGKYCMRYKA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBK\service.exe" /f
        52⤵
        Adds Run key to start application
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBK\service.exe"
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempADRXJ.bat" "
        52⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MDNTLCBDFTBPOAI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAE\service.exe" /f
        53⤵
        Adds Run key to start application
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAE\service.exe"
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRVQXM.bat" "
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTHIDBEUHOJOKWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe" /f
        54⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe"
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWNLPK.bat" "
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CXTOBXJYDIXYWFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe" /f
        55⤵
        Adds Run key to start application
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "
        55⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OJHJNUDPTEQBAYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe" /f
        56⤵
        Adds Run key to start application
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVLXIH.bat" "
        56⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGUBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe" /f
        57⤵
        Adds Run key to start application
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIJRNW.bat" "
        57⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKXGGSYPMRMTIJB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIYHPDDEYEAVQDK\service.exe" /f
        58⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\PIYHPDDEYEAVQDK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PIYHPDDEYEAVQDK\service.exe"
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEHIRN.bat" "
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YVUYLBPLJXOANQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /f
        59⤵
        Adds Run key to start application
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe"
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRRCWV.bat" "
        59⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNSPDPAXDVUQREK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe" /f
        60⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "
        60⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DFABVQELGKYHTPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMREBQYQ\service.exe" /f
        61⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMREBQYQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMREBQYQ\service.exe"
        60⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIACQM.bat" "
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIVGEJWXAKPXX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSODRYI\service.exe" /f
        62⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSODRYI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSODRYI\service.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOJXWI.bat" "
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUHLHFVTKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHAXGPFLCTKJUR\service.exe" /f
        63⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\ORHAXGPFLCTKJUR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORHAXGPFLCTKJUR\service.exe"
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBEGPL.bat" "
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVTRWJNIGXVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQHMEVMAK\service.exe" /f
        64⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\PSICYAHQHMEVMAK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSICYAHQHMEVMAK\service.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempENEYC.bat" "
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGEIDLWAXTRATJW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe" /f
        65⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBFGPL.bat" "
        65⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVTRWJNJGXVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QSICYAHRHMEVMAK\service.exe" /f
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\QSICYAHRHMEVMAK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QSICYAHRHMEVMAK\service.exe"
        65⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CXBPFTOMRERTOHK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKSGQH\service.exe" /f
        67⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKSGQH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKSGQH\service.exe"
        66⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYGHQL.bat" "
        67⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IXYVEFQWNLPKSGH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe" /f
        68⤵
        Adds Run key to start application
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe"
        67⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJXFNE.bat" "
        68⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVGEIDLWBYTRAAU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe" /f
        69⤵
        Adds Run key to start application
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe"
        68⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
        69⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXXVEEPWMKOJRFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe" /f
        70⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "
        70⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSUPNQFTBJAV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTFMR\service.exe" /f
        71⤵
        Adds Run key to start application
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTFMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTFMR\service.exe"
        70⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYRXJF.bat" "
        71⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DNSLBBDFTBPOAID" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe" /f
        72⤵
        Adds Run key to start application
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe
        72⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        73⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        74⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe:*:Enabled:Windows Messanger" /f
        73⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe:*:Enabled:Windows Messanger" /f
        74⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        73⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        74⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        74⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempACESA.bat

Filesize
163B

MD5
8cc8a8f9aa167a79e215e0a124948c64

SHA1
027d17f560afc112990c81a11657d96b50be82f1

SHA256
f33342db98fa395a72967b9dd83c914e30e246619c21fbf9faa50afcc42afdd0

SHA512
7f6a329d216714010e0ebd44891d9acd64bd4fab06afe441aa98e8b5695f73170e750efa291406df48100a6429379e5f8d63b96fd69fb710e3007f6901fb7d8e

Download Submit
C:\Users\Admin\AppData\Local\TempACESA.bat

Filesize
163B

MD5
cfae71edea40fdd0c7a65a2da36386f3

SHA1
60fb707a4446b277fdac97c2d619b890cc292631

SHA256
b715def58f1133788c66e0a2ba4cb9fdd913bdfad7da160a9f83fdfc70abc053

SHA512
54c1eb05b2958ae17880044dcfc3a9b3e1ba780652863c09212cf77c44664e16dd637f9321654f254e0e73e9cd60c77a1bbe701ecfa1c61f2e8144f1938c685c

Download Submit
C:\Users\Admin\AppData\Local\TempADRXJ.bat

Filesize
163B

MD5
d25cc7efd37620d23f7a9693e0b746f5

SHA1
a2edd6a14cd2514f290a28d8adf2be63f9e0602d

SHA256
a6813234b04c03028984ed88157b2dce3f06dbe2c64558efcecda59284aeb573

SHA512
72f9994218d04f11dc9472c81fabd2f479aa0ffaa5a7eda96c082fae8266e5d44c8d88d56528111609e16d2492cd10230d2bb0913746fa11dd909ecd9bde0f58

Download Submit
C:\Users\Admin\AppData\Local\TempAHVCQ.bat

Filesize
163B

MD5
4b0d872f3f416957a182ff7e52c309eb

SHA1
0f1b526a0543465b9e3dbeda4d433788776401c9

SHA256
6432bfed5b2ad0c9a8af3893a8ba1adc4366ebfb2bc5c0d373404ddac44baa88

SHA512
4655e8922a7735416c318b9fcbc22580b512c35518ca7ccc8085fba08adb232deb54b6266167f54a7911ae83310c9dc563da8189d836a2ee6d393e074749beb2

Download Submit
C:\Users\Admin\AppData\Local\TempBEGPL.bat

Filesize
163B

MD5
8135d0c245179f01704fad424c3ad348

SHA1
8714ed9aa1431ac1c26d64b8de7319bafd5c2c83

SHA256
b35b8dfefc68ed48bd79fb108a68beba65453bd78e84cfdcbd14ddfd23f42427

SHA512
eb77dcc94520c5e8cadbe84147c434cce64de264c1e2192fecd2aff80b7a90237d6786044b0ff97d4df5e21e1733e527cab024f3aca62d1e2d66f857fd1ec801

Download Submit
C:\Users\Admin\AppData\Local\TempBFGPL.bat

Filesize
163B

MD5
44d686f6f2417d38f57ab7496efa783c

SHA1
4d10789b00680936345ae6c9874f687a77b2de4f

SHA256
3f821cdaec4d5eb9444f4dabdb0ec6730a872cfd82d3cee0ec37a45a5abfaa9a

SHA512
b08725adfb0361d41016b7fbafd860fef7852c99b80bf0879381c51e49cecc79ed253ff8e40c153047b39f093fb76ce1a4a789f9248dc8ed36413e8fd1d6e1b2

Download Submit
C:\Users\Admin\AppData\Local\TempBRSPX.bat

Filesize
163B

MD5
f8e7ebacb675eee64abe21a79861a220

SHA1
bc4a7004fb2ffdaaacc4d4646e26ba1fe8b8d131

SHA256
dcaacb86c76a8d9962e4457db5e974aef03fd5028d4e2252047ca42ce047c990

SHA512
6449f1111ffd19ab23b045ea9ae7788adac0a469f5e8a6a609cee9bcb7167e459c6a6334cde142de1a30dcdd5d08faf41fe75a28f595576cee04fdca12516959

Download Submit
C:\Users\Admin\AppData\Local\TempCHYUV.bat

Filesize
163B

MD5
0c20230511077ad284f313b6ac516658

SHA1
7177baa65bef92e25ef7eaef4075b9e22d075664

SHA256
43c6916fed10d02a63cc2116b569bd40a275d6740b96a512e5e812df4561a8c3

SHA512
f28529b0766943fadcd66da5e5459c1cf529728ebd9de5f9061da6cb0038ee8ef0bd8af9cb0969f01e0a101f08c26f6784d34f07e74ed105eebc9f9b1c8d5a8a

Download Submit
C:\Users\Admin\AppData\Local\TempCYWBO.bat

Filesize
163B

MD5
3f44479b6f4b22e5358e0fbdd1ac873b

SHA1
73b1ace6894aa05ed528b79853030eae28c0a4bc

SHA256
7e91f721caae6c04cd9d115468cd6e815566a8e2564162547d4749d6f3697c9a

SHA512
740bb48ead9a1dbe1a8f9dd692d113a55bbd20dc0031120086c92bf07738e45ee64fba12d4b54cc198149dfc8fe8f693f50bd803bdf9d000987e9f35fcad27fb

Download Submit
C:\Users\Admin\AppData\Local\TempDGHQM.bat

Filesize
163B

MD5
c1e9cc859b16b9aaf13c7abbc8695e56

SHA1
fb49c82be270cefd43f9154a833d9f1fd2b811dd

SHA256
fd1db65b4c055373a0a760d16e5e68b96b8d83802200465c0c07a43eb6050027

SHA512
dd2803c4bb852df4f419bfd558036ab6503de0b5883719540b71b7d134fd9eae0e1d3fd61add84ae9203c08af3f3483d18e23c122af0f408e5382b0b831d2114

Download Submit
C:\Users\Admin\AppData\Local\TempDMYVU.bat

Filesize
163B

MD5
dc49f8a5c1f9dded948dc504edcbdaf0

SHA1
8cb5eac0fafe9c30561275bf3af3e5564dcb32e9

SHA256
cbe8c62200e2b6e82c84ba08ac40f343d9f1ead63ca2a81d550d0a22cd5d23ab

SHA512
dd39d33cff5810fa9c8f3b705493123f3353695516f962beef35c1595435dc112dd3f3b305f3e98c7cdf77d7ada400b74ae0867271537338450268a45698fcdd

Download Submit
C:\Users\Admin\AppData\Local\TempDVURR.bat

Filesize
163B

MD5
e13ad6160f030f5879e63f316df964f5

SHA1
854b24a8a36247164e70851ad03cfb28fd5e185c

SHA256
d7c550a4067093441233310f5db08a566bc58a8fec7c7325735d460cf0152ff1

SHA512
4a9f1278c6d6439839664b252d3c745c3e5bae29769bf69a2e73fcf01fd2facf732ede047fe463bf4924d96b538b6d0f206b25292d3b354a83b1c918664b29ae

Download Submit
C:\Users\Admin\AppData\Local\TempDXBMK.bat

Filesize
163B

MD5
0209111bbc2fcfef39fc6801f977e786

SHA1
b124af40f009e68cad8d58a1fca9dd3af83803e5

SHA256
22b38c22966e0646cca356accc277a432c037478d4e4facdcadb1ec4184426fe

SHA512
42319942bc273dff4b2761e94e8389448b92a74beb3e35a1ca0468e8b8812a6f87f5f8e6c34e4d19f2622aa8c5d1f6564f0ec144cf8710336eb3907bb700a908

Download Submit
C:\Users\Admin\AppData\Local\TempEDQUU.bat

Filesize
163B

MD5
2b5fa2385dd8d3d082dd96706ac374a1

SHA1
784f5ae3fea6664eadc03720f7302319178f089e

SHA256
063250981d9202a9d0647bef55065f9c46d6db0c7ce4e0df98ccc31f02d33be0

SHA512
a8330fee4136e7823ee56ab7df382a3d29ada686df923343eb75f5e3f7c2eed0aaafed95a5df3fdfb4be070892b12ca300fd48e742b2d0879dc88d027c367fc1

Download Submit
C:\Users\Admin\AppData\Local\TempEHIRN.bat

Filesize
163B

MD5
b4316b431afff4c501a2f415689cc9c7

SHA1
ba5bb8a12985cf2d836d2a185f66b87bfcd44baf

SHA256
ae1d8e6717b001e9e920672cd5bda28ed73bba5c83fc73f1e3c0b37133c6ea4c

SHA512
fd5d03b1c7fa33ed0a45be777e4fb67186d48be5c324be373f8f9916182041a613de1ef5f8ef6dbd0ae83ae8ea9060229a3f85734937484433022d0f06d73254

Download Submit
C:\Users\Admin\AppData\Local\TempEMDYB.bat

Filesize
163B

MD5
df66e4d4587f9a55239f855c96b59b84

SHA1
128ac4f215c0f1f0d77837fe846f3f0340cff23f

SHA256
c588113e0c1c72b38b7f8bf5776ed2c743dd034ae9961a0ca12ed65b2492fc7d

SHA512
4ae1cf0e1501465b47d403fd2d5cef0833487a1e4f824fbf182c696ff3abd6292d356cf9bc2db295c3a67ba10fa572b833a5d43b8d073f561a4665afd456334c

Download Submit
C:\Users\Admin\AppData\Local\TempENEYC.bat

Filesize
163B

MD5
73262ec89d66e9d3aa2e46f5314ff32e

SHA1
aa15005f0ac0bfc2c211075aa196d35dc6cee6b4

SHA256
2eaaf4f77eda34b9054f7ae054405203c120f9bb00b6f26a8969a3e32eadbbab

SHA512
95b76eb5cd32286e0173c368ce5c096ff3577e6bd621760c80ce34839c1619561ce20055cfcdffb3e628ff24db9dfe3521c0b6607dc00d78e63ba4deacd21040

Download Submit
C:\Users\Admin\AppData\Local\TempERVVP.bat

Filesize
163B

MD5
0f9cb28ad9c4285ead3465fe392f4493

SHA1
f95d624b4d59cab9cdd61c65967c553b970ac013

SHA256
4652a09c36dce80632df81d221960c4f11bfaa27ef8b54e9929617e0bbd57ce2

SHA512
0867e8f6d23bf0858544d76b0b695fcf869abb43a404e88a409c9faaaa655c7645ba8ea3183491eb8d8a9135038ccfcd6837920ccceaf11dbb94d6ec06c601e8

Download Submit
C:\Users\Admin\AppData\Local\TempEYXMV.bat

Filesize
163B

MD5
08853a35be8e45c3640c3f672e80fe9c

SHA1
00902980912ea37b95b6e99bd7e88d5759dfe96a

SHA256
917e075095fbbcc1b098646c4bc5e216fe0dfd4066b071f0306040d619c5cb9f

SHA512
6233dcc47cad3065a4329603cedde5086decff797d8ee270fcf527202f4aeb89e6aed8417a0e0f6c14668125744b4524247e98fa6b6632182f563c9c41390d55

Download Submit
C:\Users\Admin\AppData\Local\TempFYOJS.bat

Filesize
163B

MD5
acec3fc51c7811103f1765f6f8a05b3b

SHA1
a2b51123cf7074cf80e47a755e74b59191cdd420

SHA256
3259f646f4755eae15fc05089823d0651accfa8d113fad3db263fce7cf6483db

SHA512
01b2b508082fe4e4a1a43a8ca0606a39ab080badc64b43ea51dbd3bd838c651f4d0e60f51f0bf63352a08051d76d50de55a72d948b33b5628adeeb62d716fce1

Download Submit
C:\Users\Admin\AppData\Local\TempGEMFJ.bat

Filesize
163B

MD5
af409e59cb55aaa4317b87919133198c

SHA1
376c2c6b0a07bdded30fe8618169a35d6b9e4e3d

SHA256
849f8de122fc57d81463feb5e58d78eac09b25b192f04d5c3e8d3df7d24c8b97

SHA512
b9ddc7a768e8c9dda5c0ebd74e36344112c4ee4147d2c5e314db0fc0c59f09c2a06d03a80fb51fe2e4d59143ff7acbbe1fe74098ef9db25771ca9ec298c708f0

Download Submit
C:\Users\Admin\AppData\Local\TempGHENF.bat

Filesize
163B

MD5
d08312486c2363cde3608c7f6aae929b

SHA1
ea141ade6316b85c75e30747cca8780805dc95a6

SHA256
fd09e9f788123196f451932af63ba9561db558d825be10e882b7004183c5458a

SHA512
58b7b019b32b1958cba0cf8f2e0691d7c63769bcb98b3c6ffc982b1fd3783b9fcea8011be83bd5c660bacaae24710fddf547979f04d846da1f93a092d50f3e06

Download Submit
C:\Users\Admin\AppData\Local\TempGUCQP.bat

Filesize
163B

MD5
4ff1d66e34088078840e9bfb6eedb146

SHA1
8d38af5d68d2bf926e09b6078a60bd1a85eb4b43

SHA256
9365ebd186294f5c3a7613c2f779d3eeed6037afa5c5dd1362c1bfbd14c9628d

SHA512
b9f8854a0e4573fca547d497f0e9d49d171f1a1cc65acac21781b0bc91a45c332c313b011666b9046acc954499694dc099c392a5601717a0984d1b6664f51e2d

Download Submit
C:\Users\Admin\AppData\Local\TempHEMFK.bat

Filesize
163B

MD5
9cefd998d2459579fc67fd4c86ae11e9

SHA1
47e80db8106748e56c0b9e9c6a7fe9a9a7479d3d

SHA256
2d65638d2f338912ac4bfca697e2704258b9f77070ff645d374278834d3f04a0

SHA512
95dd5c02ab171fb280a76ee148674376c491978b2371f40846c5c4d51ea47125318cd0c5b86d7e97ca46156c2d1643eecff0ca4cd18cdff312916f1ac28de97d

Download Submit
C:\Users\Admin\AppData\Local\TempIACQM.bat

Filesize
163B

MD5
d03633615465f482d07433e4f81bcaa3

SHA1
72224f10ce4f17af229143c972b7f4f9b4d6cbc3

SHA256
0a7ce8498b8e61f84b683b8638f7ee7b006d1c09acb2456b3520abd5e1aa63b3

SHA512
0fe6d2a5c2ac84ddd8bdc86e386afe14047e1e8309d2804a4c0607d9984ca7e44f85e9c55c1d78c177ba43e912e4ec249f876087c41ff1e00e4c8b2028930b00

Download Submit
C:\Users\Admin\AppData\Local\TempIJRNW.bat

Filesize
163B

MD5
d5811bd988972a3991bbf82f7b88d675

SHA1
c8c6a418f390f9e574aa8d3da830451c85fb022a

SHA256
537e0de448adb78c31b0cc3357f228d32c726ccd62bb6ca1d974b8f3b8d3a367

SHA512
5d1e6485262534ccbe3340bdcc12f4e3a86bcb26dfde1720c0a14c805b40e6e4e5748270aba15b9a6dddebf80845c26944ccf67f07bde0824e16e1700ef1938a

Download Submit
C:\Users\Admin\AppData\Local\TempIQCJN.bat

Filesize
163B

MD5
89aeecb52a2220185f9c796c6d65c102

SHA1
cf6fd2f64d8a7e8e2a914660dc518a44d059f1ab

SHA256
c3e66a6d7ecf3d2b408934acee54892c8d6d0a2aa0d1d666d83d29dc8d0eb824

SHA512
99abee4a494e46be9bbf945f5a8dfa91fc92372f7199844ab4f9a6381ec0056fbb74da29512411a53792b1b60620e6c8a7593935fd44934a8977c9a25adce923

Download Submit
C:\Users\Admin\AppData\Local\TempJXFNE.bat

Filesize
163B

MD5
fa14a2c5a22876e8a9aba9c4372871de

SHA1
c44ecc60cbdfbf628c80f6f3013fa756ae008cbb

SHA256
6308d6179a725dbd99c66bfbf6524f0159f1beaa28323025a24343dd19920d79

SHA512
4ee7997a77bd1d11f422d135f773475561b4587dcc08c39643bd3c5e23f31745ed710842e312f7129b5967e09a749bee092a1616a462f107afb4ccda4d1efa90

Download Submit
C:\Users\Admin\AppData\Local\TempKFJXG.bat

Filesize
163B

MD5
449ae0321f3229311bd16eba0ac3b1a3

SHA1
126171e7ef47d99848535e21f6362405eeb48aad

SHA256
a8b54aa118b93df0326453c7a88803344c5730ad41bec717bdf6cced9f9c61ee

SHA512
e11cb1909cac490ab3eb183af3a84e49f8d8a327529ce5f5a2edb3ef97f3c4f90f02230f581c2dfc985678d73e0642591cd454ed93803d4ccd09f9a837412af6

Download Submit
C:\Users\Admin\AppData\Local\TempKFKXG.bat

Filesize
163B

MD5
90412f17ed3f018b5de7776509a66215

SHA1
11f2253bb2c7e400498667707c636ccd3d74ebfc

SHA256
4cce60b6e7e24bd4f42093be2535032189c6962d31e0f7e0d054e2e40ea9a0a2

SHA512
a600fe6b4f792ced6899edbad7d7fc9e69b8797adabc68a7872f906457acef478f6ff83fb42e29e132e7cddc76786565da131a0ece68caade26ef9da74f4e25f

Download Submit
C:\Users\Admin\AppData\Local\TempKSELP.bat

Filesize
163B

MD5
0224368807da08cc8e3924fa4a736fe1

SHA1
e88bccc94c06bb012862d45b9716e8fcb622cf4a

SHA256
4d0593fbc22c7680d6c0f1828cc34a7d414de607e6b435284b3590a7bf05c233

SHA512
0ad9026df1ad660bbfada55e06181c1039c7c4f2b89e5b9e984c543e8ed0142a06e5b6b10aac64a2a9d34934ca6d5b3a469863e9901683037aeb0d18e43af344

Download Submit
C:\Users\Admin\AppData\Local\TempKSELP.bat

Filesize
163B

MD5
2571fac6f6656b5ebf4eb96ccd0641d6

SHA1
34438c35a6cd5dec850e15b7434901d24934b2f3

SHA256
50d344f65fefdbfb049d62ecf2a851885c505f284341c1555b1420d1be814098

SHA512
e3a8a5a713dbd3b1c1f79bfb355ddb07a22b6a8bcae88cce5ca2ecee3130280a4963fab979119c6947da0cc33f18066d1606fd04fd460aa07266802ac1e25e37

Download Submit
C:\Users\Admin\AppData\Local\TempKWHGK.bat

Filesize
163B

MD5
d546667f00c1a7a9835e17ffe76e8f06

SHA1
974d3aa4deb24827d861a8e0b9ed79f1d081172e

SHA256
6445993f2c1d9093a3141efc54dfd755fb649b67d53e9abc30b3cc7e50e1ed5c

SHA512
a082bf352739346861a4e3f3a0fa8d2a6dee0ee0f23d9454e15ca1b38ee826b43e5f3b95d5c6dce3652520c99baba09a3bfc5dfb3bc6fcd19c3adeb96cb27b49

Download Submit
C:\Users\Admin\AppData\Local\TempMNWSA.bat

Filesize
163B

MD5
08a46825f8687526303d13241600973a

SHA1
43085350ae1fcefab6da5f21cfa61871e88094cd

SHA256
53d3ce1ce804418b19fd7ed0d1e65aa46092117a49cc26a2a32750ede80c6b97

SHA512
684220fc914968d010ff118585b463bafa1c5909334dae5138caae443082278909324530016c7dc5a95f4d102573082db7a33abb5b3f753ed110a50945ab942f

Download Submit
C:\Users\Admin\AppData\Local\TempMQLTI.bat

Filesize
163B

MD5
ef54da359e79fc21f31738c3665fb988

SHA1
50e610cf206885396ada579d441b26e84158e82e

SHA256
83c0b7045ebd2f6da13c86f80815782e71fbfcfc87e0209ad591bd4326d5dfaa

SHA512
01b1b971e7820387f8c1ad0d6d90cc92d85310f91cf3f69f952f3d66542f45bc477fb1b0fdc09f5f6f63d2bc71ebeb7e98909546d60a3c1ce654c73ce9367813

Download Submit
C:\Users\Admin\AppData\Local\TempMVREB.bat

Filesize
163B

MD5
6c99b2f4484e2f6803042d7b66cfa9bd

SHA1
20440a338cbf0cde8556bc1165579701d8cfff68

SHA256
48c11e2aa6f09674853a0c3e239a3cc426d6c39c6d29ef7216c550ddbbed6b6c

SHA512
d5d77ff16e55f79892b2222b26f579c4e17f4bc96e0f653636c0ab2b9505dd7fd6d3a79d9099bdeb9d3049be386db8aca7f600d1f9777aaf43afa03d8f57f271

Download Submit
C:\Users\Admin\AppData\Local\TempNJXWI.bat

Filesize
163B

MD5
351119e46f798c1415001c88658bfaca

SHA1
690217c27eff4dcd537c066043fcc631e8b2089b

SHA256
5de0e56c154157dcd309b2f2112f7449347d3be617e07f7153c9c45ea0ba86cf

SHA512
769d08eb6e49d2e9b7abe512dc6745b0c2daa06144cc879b97a364337b290147b1ede38903a55d003f9546f356f4ec880bc0146c572da400f73adf64dcd8eef9

Download Submit
C:\Users\Admin\AppData\Local\TempNWSAF.bat

Filesize
163B

MD5
1a15ba0942c96ad946befe1a84299150

SHA1
81cb5052e3dfbfccfce36ebe614cda1163f72d99

SHA256
00f4acfc005e1e8dd5cd682d989afe03f1e7ea57a57fada424cf43a6d33920b9

SHA512
e9833508ee354ba75bbf490d6cc67783a27f8da1acd56d42045d81257d29057f350bc5f98943caec0ca5d8cb1b9697ee782c6795316c38fa309227e866bf6268

Download Submit
C:\Users\Admin\AppData\Local\TempOJXWI.bat

Filesize
163B

MD5
81ee6d27eeb914b970fd55048da38575

SHA1
ecd71ee1519a3124f8138766743e13098ba3d06b

SHA256
2d15825eab17ddd67e8e712b332bfff5c3d47b8ed9cbebfae96b6ff8ea07a218

SHA512
de6db77558799b81a7194e3ee2ee558cbe5c6e41f52848b48e4872c39a414e6e96164bf537873de5090b0fbb40e6ed1ec31ced8ce12d924aaf24cf91f2958650

Download Submit
C:\Users\Admin\AppData\Local\TempOPYUB.bat

Filesize
163B

MD5
cc94ad97eefb901f6e89f6474a0466fe

SHA1
ca2e8da446ae825fc068f31fe89b3556df3072fb

SHA256
dcc3f61968e33e9f2fc7f2b3842f161c7b50a483424bd5b86711e18cd4737850

SHA512
14c31094612cef776a184bac82ed4e47d7941ce291111ce8ab48992c80ee4c7c4c6f25caa3a1485e6b35e1722ddec6fc686369b8b63bc578bfe76cbd0c051c0c

Download Submit
C:\Users\Admin\AppData\Local\TempOQGTB.bat

Filesize
163B

MD5
63719a8481edb157f23806dcbc342bee

SHA1
01584c4baf610b05a3b4b0e602f0d02b243e2db6

SHA256
17ca2446fa9bdedc8a209cb5fa5ec28b40efe1c7f3b3174608a58541e729889e

SHA512
008511d8416bf151aa9c04ee9d6bca958694dfbbc7b98121ee74e885fd06413a0f8f266c74c154fdcd03798e47affaccaf02baa484ec5626f4c8359f9eaf8c65

Download Submit
C:\Users\Admin\AppData\Local\TempOVLJN.bat

Filesize
163B

MD5
e95acfeb457237af6afe96527da371f7

SHA1
8bc3b050182199c2801b82e3d0667c83d723aa37

SHA256
d5749216b228c5451b89f8d627155996545936afa22e06571f5bbaf77b30815a

SHA512
972d3bca56c1517464dbdb84afa9a9df48201010313582bffe921f5d586f703d4979019a6582fde443477895bdee0db983d9d3aae13c1bea987a45d2178fb0e2

Download Submit
C:\Users\Admin\AppData\Local\TempOXTSH.bat

Filesize
163B

MD5
db2308a7ce895f13b0be0703d8d3f888

SHA1
20558b3a34e2f2bae028717aa7390c12261442f2

SHA256
1ccb760bd77fa01acebd7eb6bfb5f8085d364252f0c93ba39ad9133e97833737

SHA512
f40d9914fce68c94aa6734bd0a70a2928bb41e44aaeb4a806f8b86e5d13964cfb9d13d7fef8d27fe3d999786f17d859d3be01a0da4a754d89649f58f313fb735

Download Submit
C:\Users\Admin\AppData\Local\TempQBUUJ.bat

Filesize
163B

MD5
a92f22d6aeebba42c05729c0c7188c08

SHA1
0de2b31be037959418e09bd24a547bba663e5fbe

SHA256
a75a1c5499d9c5d310706d6f0f239247e0eb87c3a09adf045d8514034a81bfad

SHA512
8334a9f1a511194751060865501a1e4c8bd24c625a4251b2ebed829b4e88da66b69af1857786a2fac53075e5774662c1689113e0c370c74a160e21e7b306f35e

Download Submit
C:\Users\Admin\AppData\Local\TempQUPXL.bat

Filesize
163B

MD5
5d0d5ad40d6fd09a0d716640cbfa1ac8

SHA1
ccaf0e23a3cff154b4863714b904dde9f3a05e47

SHA256
7e9d503b5dcf215ce570cee881dbf382d056c6d601e8859ff668b1348cce0159

SHA512
8b6a6f15623f84655016c2877899c30d5b3e475d666c3f08a175f1efcdd08231927338c839d2d3f4d9fb7ab6c58c68df1c09b8e28277ca9bc8b1a92d8961d4f2

Download Submit
C:\Users\Admin\AppData\Local\TempRMUIJ.bat

Filesize
163B

MD5
d8dd752b8d973aa78dcd337a3db82d2c

SHA1
c1ed590c6c7d6ac1c8f97bb3b6ad786323c1a853

SHA256
8079ea63d2ad5a4b60dd7292446e1239067963f57c734089f25bf16f48363696

SHA512
44ba1b7d27037555353137d179a9f48e06dcf7f9b9a74e2ee7a1c78f4f74674fb930b7c07af6f7de274af6aa6ed424bae3f5d19ebc36b068d552c78a889dd1ff

Download Submit
C:\Users\Admin\AppData\Local\TempRNAMU.bat

Filesize
163B

MD5
6a62a32a9fc428abb6dbc8442fe6f4a2

SHA1
dd2e236722051cdd25302b0c29087443dc2a3f64

SHA256
f0a53b50b2787d78c5c409dc3f808cddd55f27b2510f15cb29815dfc08e8e188

SHA512
8e815d2c8d04d174ba0071b06e71af3ef148971278eca0c0a5900e40bd943f90e216c8befc7d4d78751870a387fe24db0e7ed5ddc7ca1bb2c4563d34b30f06f8

Download Submit
C:\Users\Admin\AppData\Local\TempRRCWV.bat

Filesize
163B

MD5
4e1bd99e24df2894bc8d6ca5770c579d

SHA1
5600d1a3f6c3e7edaf7cb21e2140548cff9f83ff

SHA256
690c45e0963cb87f5a01c5c56b9496fca439f1f82c53d6654610568c599f89f5

SHA512
5c7484f19badf65018fcad73d0ef6a292b959eb9e8bf810748b355595a96085a59910718377b07513c7ac4d688582bee7058b382934d10caf591c83bd820a5de

Download Submit
C:\Users\Admin\AppData\Local\TempRSXEF.bat

Filesize
163B

MD5
937085bf627548f7076e9b52381f97f6

SHA1
f03a87b250907bd70536ad458ba61737eeee176d

SHA256
b0dcad66b0f29c00ff97308e3e522e202323ef282a88e83cdaf96a1ddb1b6581

SHA512
061be3562e8bb5d04dbe488485c6ff6c5d661f0e7d21bfcfbbe05542266a1023bf0bd905822e03955e3d5e8b049d9f5aa7d447c9a64779730a735f3ab90f4627

Download Submit
C:\Users\Admin\AppData\Local\TempRTYEF.bat

Filesize
163B

MD5
797d6dd71ef21eb91502a6e317609803

SHA1
0a1370c99900e539a4a30f8e4b19b997067bfc6a

SHA256
27fa446fc5d39038b8a2cdd4ec05d0f8a68b2d53a29e629d3760bac360dcc0e0

SHA512
75a349bfa64ac9eb041ec1a6ebb12442fc08e68e36f3382be1bc994eb4ee6afbc92fcfe61aaefa791f839c1c2c3f5df39a22cea46b68483a5cca7719d9aab0d1

Download Submit
C:\Users\Admin\AppData\Local\TempRVQXM.bat

Filesize
163B

MD5
c77c45252711b8c57a85bd15dd837d11

SHA1
4f2bbc1a53a9f029a96036987f6921cf1afcedc8

SHA256
27e6d61132f14fde7f4cb0b6abadf9db1fc94ee3cd8a70e4f93c62b1fed520a2

SHA512
6304e16d425b616db4bd39289b6e7ab5a912df5e801908e64f6e02b918a9ada626c80b509b647395d3018f7cba138529b0f2513b93bea36eed6b5b7a9dd23b20

Download Submit
C:\Users\Admin\AppData\Local\TempTMPQV.bat

Filesize
163B

MD5
dece1bb4c4060cccca68ff5621ed3d25

SHA1
a74e333744611e9bcd84d99b7a951646c3596f69

SHA256
0502c6772682b53b3ef9012f93aa1e8ecf3e74fe59f88eaa209bf81310e3a986

SHA512
913debe33dd00e546ee5708301bb77f5c9cee2da01dd1ddf8880e65ca64c8c5e4a0919df7ae8669ee10fcfa0e2249938f6bec401b20cc660c3badd151710d19d

Download Submit
C:\Users\Admin\AppData\Local\TempVJKKT.bat

Filesize
163B

MD5
e1aa77ec10b36c8029fbeef215adb276

SHA1
9cf99ce961e32fddf3ad986134f51f931db15d66

SHA256
30776d62595de30ea3cb0845a2b745687b39d3c0f1acada091953cd906bef92a

SHA512
80762902ee8ebd72cb10f1be4d9597f396369ac5ad20dd4bf96e045be0a386b11dfb452da13e18bc9074d952ce6f7a00c6ee08baf85f0e15f1795e1a73c16d89

Download Submit
C:\Users\Admin\AppData\Local\TempVLXIH.bat

Filesize
163B

MD5
38582d0b8684e515acc8a0b855142358

SHA1
091d9a23d9ea9a7fa0a7583fc3233521f038d3f8

SHA256
86ace41294290c8dd92509de6b1a6245e1ac20c41f4f1d7501be7ee721223776

SHA512
b5b207d182e0c3b8ceb79160238c24e6af6c482485d77c2b2b4bf0130611db60c503c2b1f6bcf4220328862c7ff650a3ac4f508dede00b8e50e3dcd92241a633

Download Submit
C:\Users\Admin\AppData\Local\TempWIGKF.bat

Filesize
163B

MD5
9023c45163475824b955591c8f620a31

SHA1
01ad5967899cc402841f712605b78906c8809a27

SHA256
1301ada84c87e7138b4e911f991aa1e43f5f6165f656e10f80fcccd41ee5add0

SHA512
1536ca9afe5e8e849001f9a1b6bd6d7ea19af31dc2dc35c54a8ada97182eefd57669ef1e4507287a1c33c3bdc02860e2705d8b2f27059fa629ed926e12639392

Download Submit
C:\Users\Admin\AppData\Local\TempWLXIH.bat

Filesize
163B

MD5
e15ed94a31409832b91cc71bead0d445

SHA1
9f5b4b6b137b4d43161fe51b79e67f5bd28a52b7

SHA256
3e7659ea6d65e58993dba401ea44c6b0e68618752a7b52b1a1ca1436153de054

SHA512
272b2ebbe1eaa7a1fa81b48d8735644706386c2792aed68f1c6fe6e492006da069be43e616e542a45a05854a708c981fcae1f9b698a26973abcbb0f369e72447

Download Submit
C:\Users\Admin\AppData\Local\TempWLXIH.bat

Filesize
163B

MD5
beb7827ed78d003005c06a6e75d39ca8

SHA1
b53687b4ebf0261ab24f931cbe49fdcd4462254f

SHA256
eadc4a0bd95f17102c5a1e0f5395919eaba58e5c21a9dc773f89d3621b1f8ff4

SHA512
02e1fb2f87d0c388c7f55e6de1a3b78c505e53cec5722753e0ebf950c9de247252e723adace937912bf4ae8954fabe9e31f070e311d7a2b38c01fcc962cbab72

Download Submit
C:\Users\Admin\AppData\Local\TempWLXJH.bat

Filesize
163B

MD5
0d6c34dc351b342394b22dea34cf6170

SHA1
52a96c63b9b8f0a790269762394ec9248de8c223

SHA256
224c12d088bab7f6c5242daa4b8e8817421bd6ae2e3636a2d31b5092a8909a0d

SHA512
62caf926bb84defeb29cf4b002c64495538109a24dbe778f46f27d2c56e4654ba05032f5d35e1811d882d4fb28a10704424ae159706bf1cb42f9db74fe26b10f

Download Submit
C:\Users\Admin\AppData\Local\TempWNLPK.bat

Filesize
163B

MD5
884f872446b496b13121f8e4b2c3dab0

SHA1
e9e39cbdcd88bcd4bc75d56e913f566697828d50

SHA256
9887afd72d7eb17caa575d9cf0a0600419fa2e86c9d68983b80d761463d0861a

SHA512
644dba49a0ba73a00101125cd48c0181f4a82a5d092ba203c1d6716856e4ad330fd683ba51de0c8a36ea29a6881f437fb49824bff832569fd08f1c0cc8110363

Download Submit
C:\Users\Admin\AppData\Local\TempWNLPK.bat

Filesize
163B

MD5
13121050a54fa9e2e16b2d66178825a0

SHA1
665b6d1a77458b004e58bf1d4bea12759373c6c1

SHA256
2a36e3419d54483cd4b932099209f8882f2f746a6f202d0ad5b2213d14325c7c

SHA512
7fac727e2114c682be78c746ca301fa30fe69ba10d4cc85f724eb1240a82f876c5d1c774b60c6ee7f08ba783f7c36a0edf8878d3629358febcc7014d9dc8f5ab

Download Submit
C:\Users\Admin\AppData\Local\TempWRRGP.bat

Filesize
163B

MD5
8908c4d1492a2acb5b8db833be4b7532

SHA1
87ec2d5a8aac6715b06055194ac5c2754eead4a4

SHA256
5a4ab10ad79680d818d0ce4545483e491e3261fd75989d3a3508c35ece9d7d58

SHA512
ecfa22a654b2e2223b2ec921d4535e0c92677913082caaa352b6643565e87707eae857cbd16d082a919153bd9521ef4a32e28251de29216aed874b39679b0aba

Download Submit
C:\Users\Admin\AppData\Local\TempWVRSS.bat

Filesize
163B

MD5
f7c2b529214710d2bba1b9dac4bdcef8

SHA1
0341723ce1dc588132281d460b672d26556c9c99

SHA256
71600a0cf16a5798f7590d1088d945259ddf2dc2548b5b04825a70066f685691

SHA512
c0d55e5894c48b924681a5c4d5d7adde5a4f3b3caac8decf33e4cc604c41cedfac18e4d6174442b98aa590327492851a054cb291371b425c2b45f14c40ca4f2c

Download Submit
C:\Users\Admin\AppData\Local\TempXGGPL.bat

Filesize
163B

MD5
a70a9dfb51a011a4d5c0ebab233c466a

SHA1
50fa4c4aed69fe490b58985c672117810239b66a

SHA256
5d2571f85391130fdd77d1def5dd9cd247accacf0e82c6d1eb19791ab167897e

SHA512
f44825ec08f3db15b3b5a20fd412a414256f2a64db2cfb92c24340e5fae74ec4c20e1b646ea7c2261e46c51d08715111c4e93a13d4059a4876f8c7b20b2a4695

Download Submit
C:\Users\Admin\AppData\Local\TempXNOLU.bat

Filesize
163B

MD5
e06b1457c2f436fdbc3bbe1ba0c8992a

SHA1
8f246898f39a37436bceb62433ec9cf84d208b72

SHA256
09eb5ab5b349f13fcdb851c1f3b14e67074d6f1ec54dd62b1fe2dd0584d55f33

SHA512
afa84d0e11825fde2a570c6b5955f5d2107d6e6836f7e470c757ee7eb680081b71dcbb8863133e42c9ff43cabf1971838fa9f6735597656be633da3d8e18283a

Download Submit
C:\Users\Admin\AppData\Local\TempXSSHQ.bat

Filesize
163B

MD5
583034df91926a3634a47160c596c6e7

SHA1
7b5908bfba142bbd1552a5b81a3ad802f1011107

SHA256
807bf24625cba65ac45763e35c154562bf43ed5aa66b547a86b79715724d6961

SHA512
841cbdca67cea26f5e6b9a98b7a1cf1ed1e1f6eb8730a2007ed0be2391d7b84a5725088106fb4335da43b204e028327f0d80113d2eec2a81a8d822ba7b0ce177

Download Submit
C:\Users\Admin\AppData\Local\TempXSSHQ.bat

Filesize
163B

MD5
59d30af5fbbc430790d2e323ea7bf1c9

SHA1
30f9548b1eae0e2133007f9e0f25eaf450b3ad8c

SHA256
ae21b6a444af4fdbba733bb48a1eee2f2347464aeacaf3f39c71db271a787d50

SHA512
8de5add873b5807e08b0235cd54b47abdcdabf5d43eefbeb4236428e5796ca50246d22eb439c5231b5d800783a4493bd994f7cc4dc2bdccc7ee2c829622db797

Download Submit
C:\Users\Admin\AppData\Local\TempYAHHQ.bat

Filesize
163B

MD5
559765df6500051fcb7b05a531784948

SHA1
a352c5b0ae4650404989944559c6aac131744d3b

SHA256
7218951015fbfda41d6abd84c116eaf053514c2ada6978fc0e50f17fe2ed8179

SHA512
4b5cd8bc9a3792d6a216d5dc71d18177f325038bf513b6415be74f9dcafd5707aa46e276c7b682bfacb74681cbbba554f02ec84289699a410aae25937acb1c01

Download Submit
C:\Users\Admin\AppData\Local\TempYFGDL.bat

Filesize
163B

MD5
ae2b80ec322acc6a3a92946b6017b9b2

SHA1
df6d13bde6c449353f44fef2a2ee64117504e7b8

SHA256
40baf497022d6b4a4b5aab79809cfe0e6cc012491fabd0beff85cf55ee2495cf

SHA512
ea3175e8f20c417250ebc64d9ba7ff6f9092ea1cfcc598a93f2a58de8329d98c649d47bf2a8b4a85a834d9fe222e56f993b245cd9a89cac10a8cad028b9200f0

Download Submit
C:\Users\Admin\AppData\Local\TempYGHQL.bat

Filesize
163B

MD5
3fde9d66db99fe0a8345af71043380ca

SHA1
c5d9611efbb5affe1a44bff0bcab0e5b2a726a27

SHA256
4e6b534adfe1dd850837a6c6e85d65c515abd49a2bda0381586334cbe2548540

SHA512
40ed5a60eb03ea7bae6b724a0dc1c47f7f7e5fa18291d6f2861ddfd2e86418a02fd1ce4e1635dd65906282709f0747f1c43341da1d154d942f1713cc43d1d186

Download Submit
C:\Users\Admin\AppData\Local\TempYRXJF.bat

Filesize
163B

MD5
8fba6f32c9a4e3421df557566b600edf

SHA1
6e03f4688dfbe394710df6d08f2cbc03f6894d21

SHA256
d2b60f1c2a886a6898459f9ec2c58f5833868cefc80b19610c02ede751f12cca

SHA512
692c9d0956d3b741533ed124bbfdbdaef8dbaaa85d6f06cea2c6e71e9c8ea5222511c2b2d8e1557306d8e5db1a3658a248fdaa91e49ed501623e1f81e112f8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe

Filesize
520KB

MD5
a0a3fc31d622ac73c493b1f52f6f916b

SHA1
3f76af06fe4a3f52a961473c8b08afef0edc7d83

SHA256
802434a85f2725d467bf3793091e68b1c17091692515240700d875c99c53a41b

SHA512
32e6f5dd62ac139460c702c4deb2fe58a6edc2b8a9cfabb768d2116be9432040d4bd474771d364cfae980d7150bde6e2954272ddca088780918b133c3f911552

Download Submit
\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe

Filesize
520KB

MD5
d8c59269c2e1fe7027b66f7b9a37b23b

SHA1
3445d4539d296ae464f74932301a1fa6e12f308e

SHA256
305cab4065de8265811304e90669e58bf40cdcc6b5cd8f2bed79b8c21aa5e964

SHA512
08024a860bf1818c5014d56f32819628748909118b1bf2fe2c27b3437cb1208f22ce2119f44ad2158ac2b060fb18a6c23655b90d167da3128a776ee97381c3fb

Download Submit
\Users\Admin\AppData\Local\Temp\EMEVNJEXOPMUGNR\service.exe

Filesize
520KB

MD5
1d2ab4c6eb58edffc7528b71b5a49b3d

SHA1
c2895cb735d8b43b25a801e1825c46e39d6faa58

SHA256
d2fd260e2f4a9257069e65b0e10a51e176c816d07f964809dd5c13f29dde2999

SHA512
b7884c9115f2a3a8b926ab8a3a192515e9b9aa5041dbfe1cc36d49f03769817250040c698c633ac68b03e39d6e7c55d3fd5125eebca479065451715b074155ca

Download Submit
\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe

Filesize
520KB

MD5
05b42a3fb620817d6604787cc26622b4

SHA1
71a414674da13de3d6d8dcd699d95d732b0d17c9

SHA256
1c96c27b2b1f79fcf341e69851e61836faee4375e32f9fab72c6218a86e134e2

SHA512
65a56e00ea22cd1c6594617a4edecba15ce96ac15d85cc587f9b2f17a8fbddd6e96a58c91e6b7d36ef40c2dd300e2340fe15adfeaad06e9860778468ca4e71c0

Download Submit
\Users\Admin\AppData\Local\Temp\ESORUTVHLQEBPXP\service.exe

Filesize
520KB

MD5
205d430ae8d4cb648337cf021afa1675

SHA1
be434b4fea864784b3813c470ff975627b1d2057

SHA256
123091349a48558029703509304021bb804a67d50d6d6804432eee815416f8e0

SHA512
fcb221e73b91f8c2fef636d440b0ad8319b6ce07df3f194de89ecd53787b619be444dbfdd6630c22e80a3328fe9a3fb22bb070c84bb800fb164855c920d13abc

Download Submit
\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe

Filesize
520KB

MD5
28e132eea21d92799cbac6b0cc2e0e26

SHA1
4e179105e57533cefda555744f1d0d7da9580a52

SHA256
7e03c41c410bc848f471eb2ccd23c59b8325e562b3ee6c91c30dff21d05bccd4

SHA512
087a61b663a1258a9f9c334155a6b35dd9a96cb646b657b6f3d7987d5d7c9b6e8d8dfd9d535b1ceca5201d326abf82984d89ca78bd694e1414f4fb357af16e44

Download Submit
\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe

Filesize
520KB

MD5
e982f57f5e795b6b4c005bb99a0a3fb0

SHA1
71391003acbe739b19422840f394c7f7bcfd7cd2

SHA256
eb1a3dc2c11d946199cd0572acbf45b7d65da090fdeedd2e1e28ee7c8f05e74b

SHA512
33bd639529ebb7962ec6fab92057e880e007f1a50ae6ed98441bcd92c981e351a3b30b724e4265091180889fba1b88c428ffad1d3d870898898f33d7eaede1d6

Download Submit
\Users\Admin\AppData\Local\Temp\LHWUKUOMPAEKXXJ\service.exe

Filesize
520KB

MD5
d35e32eb8fb0e7a04d7c01352d05706b

SHA1
8558c36930f42996389b0dd5191b1ca80b74a66b

SHA256
c26b101d2937d1ec46440a60aedaecae8c976afb143d2104c482166177046984

SHA512
e3745cc157346509992ef0a73766c3594f9143a07dc3d6d7969788d5525dc21137da0a7fddf9ea4733df2a99f47e298cf7f62cf28a7a3dcf3338fdddf4eca086

Download Submit
\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe

Filesize
520KB

MD5
4e97448bd8102506281c2596129e1950

SHA1
0dd0eaba065756f0f3ea604f4443caee3df916a1

SHA256
eef13505472bac4a0b2b659ecdf8520fc4faad7b74cbc6ee42735867d2c177a4

SHA512
5061b4f3062a2ab0104ff2beeeaa1d9c90044b6d25d1205350353d3e81dc4e0ca8cfb7d1e85da9461f45c89126b41d2d444c2a86c3b0f5a8414b403f671758a4

Download Submit
\Users\Admin\AppData\Local\Temp\VONVJIJFDKFVJQK\service.exe

Filesize
520KB

MD5
91527bfc0d52717e10b313b5b0f090d9

SHA1
b3cd485d692252a97f78173396489b8c914b6526

SHA256
9e051352b75c328657f96790f4431aba285ce4353b125105720de99baa67f022

SHA512
41aa36193a1f222ca5bdb3d17c24f8ac48453b94cb3a331cd0fcb29afcae8dfb7a0977bbaeffb7a8903cbac22109d2a923d236670a455015bdc7ee6719608055

Download Submit
\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe

Filesize
520KB

MD5
444351828aa130c6c6ccd397be2cf1ad

SHA1
2713d6c9ae280b7069cb61149df770c9a541ad41

SHA256
1610c522b68812c0e8097de23e9d04b763c6f114dc6ac07f7052327c70dd9616

SHA512
dbf7d79a6e3df0fcf573727c065f21d87b2d3d2589c03918629e8c1c185ecbd0d99d21d4dbae4fe7ea2739bd603f7a8b5792c58f075113c73329bb7bd2bed937

Download Submit
\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe

Filesize
520KB

MD5
0be93c9b47cf8a6dac2ba34123b3e087

SHA1
9333749a42c20e615934f7e9d7126a91962ff067

SHA256
4acf80e3f0e2f718994858fea72134012ded4476972c3d04c3704ea97b8443e9

SHA512
3f90e281427b36afe07641d226a3047e49c48da17f624063eb5975a5646458ad3a2cd53d36c158fcb352174c5d00e9f0cb63dec3866272d4933aa6071a1c31b6

Download Submit
\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe

Filesize
520KB

MD5
109007988fe68e9c80064bd8b4fe3e3f

SHA1
91339ab3208451ebf79396533ddec58a85b108f1

SHA256
47a23260dea95f27325828a8d4246c83bfe036233478f138b5c4726bb7511894

SHA512
a371d9e925179ebc6523e35ef577ece6ffc317dade035b471a098a92ed1f87e34c6691283e6ec4afed6120c2f0f9f869d36fa3a3bee30d82a2d1174f81bb54bc

Download Submit
memory/2664-1748-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2664-1753-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2664-1754-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2664-1756-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2664-1757-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads